--- Log opened Fri Aug 01 12:49:14 2008 12:49 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined #openvpn 12:49 -!- ServerMode/#openvpn [+ns] by zelazny.freenode.net 12:49 -!- Irssi: #openvpn: Total of 1 nicks [1 ops, 0 halfops, 0 voices, 0 normal] 12:49 -!- Irssi: Join to #openvpn was synced in 0 secs 12:49 -!- mode/#openvpn [-s+tc] by ChanServ 12:52 -!- ecrist changed the topic of #openvpn to: OpenVPN | http://openvpn.net 13:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:19 < krzee> heh right on 13:19 < krzee> link to howto in topic please 13:19 <@ecrist> working on getting some control 13:19 < krzee> ya, good job 13:19 <@ecrist> hang on - I'll give you access 13:20 -!- ecrist changed the topic of ##openvpn to: OpenVPN | http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html 13:21 < krzee> nice 13:21 < krzee> that howto is a big win =] 13:22 <@ecrist> for sure. 13:26 -!- mode/##openvpn [-o ecrist] by ecrist 13:27 -!- Irssi: ##openvpn: Total of 2 nicks [0 ops, 0 halfops, 0 voices, 2 normal] 13:28 < ecrist> LoRez has moderated and +i to #openvpn 13:29 < ecrist> and forwarded it to here. 13:33 < krzee> cool 13:33 < krzee> maybe someone should say so in that channel 13:33 < krzee> lol 13:34 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has joined ##openvpn 13:34 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has left ##openvpn [] 13:38 -!- mode/##openvpn [+r] by ChanServ 13:47 < ecrist> I wonder how long then, until people realize it's too quiet in there. 13:49 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 13:49 < SilenceGold> nice 13:50 < ecrist> I'm not one for take-overs, but there was nobody to moderate that channel before. 13:50 < SilenceGold> yea I understand 13:50 < SilenceGold> so... 13:50 < SilenceGold> how do we get everyone to leave #openvpn 13:50 < SilenceGold> lol 13:50 < ecrist> SilenceGold: they will, in time. 13:51 < SilenceGold> maybe I can flood #openvpn to tell everyone to /hop 13:51 < SilenceGold> lol 13:51 < SilenceGold> like this 13:51 < SilenceGold> /hop 13:51 < ecrist> they'll figure out there no talking 13:51 < ecrist> you can't, it's +m 13:51 < SilenceGold> oo 13:51 < SilenceGold> didn't notice it 13:51 < ecrist> :) 13:51 < ecrist> I wonder if it's possible to lock the access list. 13:52 < SilenceGold> /msg chanserv help 13:56 -!- Irssi: ##openvpn: Total of 3 nicks [0 ops, 0 halfops, 0 voices, 3 normal] 14:11 -!- JW [n=jw@cvs.claborn.net] has joined ##openvpn 14:16 < JW> Does anyone know if the address assigned to the bridge is supposed to be the same IP address that is normally assigned to the LAN? 14:17 < JW> in other words if I'm bridging eth0 and tap0 - I have one privae address I normally use on eth- in /etc/network/interfaces - 14:17 < JW> Is that the address I assign to the bridge? 14:17 < JW> Or is it another uniquie address? 14:17 < krzee> im unsure, been a long time since i used bridging 14:18 < JW> I'm about ready to go crazy - I think VPN is the hardest thing I've every tried to setup in 10 years of using Linux. 14:18 < JW> it's worse than hacking xorg.conf by hand. 14:18 < JW> I'm working on the server end - it's Debian Etch. 14:19 < JW> And no matter what method I use to try to do the briding, 14:19 < krzee> you;re sure you want a bridge? 14:19 < JW> there is never a /dev/tap0 or /dev/net/tap0 created 14:19 < JW> I do have a /dev/net/tun tha tis persistent 14:19 < JW> krzee: well, I think so I started off trying the routing method, and I got that to work. 14:20 < JW> I'm setting this up for my boss and one other emplyoee to use when they are out of the office 14:20 < krzee> the goal? 14:20 < JW> They want to be able to seamlessly get to any server or workstation on our office LAN using its normal IP 14:20 < JW> we run a 192.168.0.X LAN 14:20 < krzee> windows sharing? 14:20 < JW> NO 14:21 < JW> We do use samba but it's not relevent right now because none of ht eLinux uses mount samba shares on Linux workstations 14:21 < JW> and the VPN is for the Linux users 14:21 < krzee> what in link layer do you need tunneled? 14:21 < JW> sorry for the typos - that was supposed to read "none of the Linux users mount samba shares on Linux workstations" 14:22 < krzee> all good i understood 14:22 < JW> krzee: I'm not sure what you're calling the Link layer - 14:22 < krzee> the layer with mac addresses 14:22 < JW> I must be confused. I thought all traffice on that layer were just packets that contain application data 14:23 < JW> and the application data "type" didn't matter 14:23 < JW> He'll be using primarily ssh 14:23 < JW> also possibley mysql connections 14:23 < krzee> if you need arp, and whatnot tunneled you want bridge 14:23 < krzee> if you want IP tunneled, you want routed 14:23 < JW> possibly want to print to our printers 14:23 < krzee> most people want routed 14:23 < JW> And one of them might want to use DNS and our gateway. 14:24 < krzee> its few exceptions that lead to bridged 14:24 < JW> krzee: At first I, too thought we wanted routed. 14:24 < JW> Something I read said it was simpler 14:24 < krzee> it is 14:24 < krzee> and i think thats what you want 14:24 < JW> And I got a 1-external client to 1-border serer VPN set and working 14:24 < JW> The problem is I used a differnt IP range 10.8 14:24 < krzee> no problem 14:25 < krzee> thats good 14:25 < JW> And that client cannot access the other 192.168.0's behind the serve when it's setup that way without setting up a bunch of nasty routing rules 14:25 < krzee> ya you need to let it know the routes 14:25 < JW> i started down that path and it looked like a mess - and something in the documentation at that point said it might be better to try briding 14:25 < krzee> 192.168.0 is not the network on both sides right? 14:26 < krzee> bridging adds more overhead and to me is less easy 14:26 < JW> I also saw something that said if you want to have all client be on the same net range (192.168.0.*) that it was easier to use bridging 14:26 < krzee> client and server are not both on 192.168.0 right? 14:26 < JW> As far as the network on both sides: 14:26 < JW> it will probably be changing 14:27 < JW> Most of the time the remote client will be using an AT&T data card, 14:27 < JW> and not be attached to a LAN on the remote side 14:27 < JW> Well no, that's how one of the clients will be 14:27 < JW> And that same client will sometimes be on a 10.0.0 network 14:27 < JW> and I suppose every once in a while he'll be on other things at random depending on what hotspot/hotel he's in 14:28 < JW> the other one has a remote office - and I guess a LAN though I have not asked (I'm more worreid about the first client who is about to leave the office for a week) 14:28 < JW> I would say let's ignore the client that has the remote LAN for now. 14:28 < JW> krzee: did I lose you? 14:29 < krzee> nah but you're about to 14:29 < krzee> i need to shower and head out =/ 14:29 < JW> Ah, well. Too bad. 14:29 < krzee> but imo you want routed and pushed routes 14:29 < krzee> then the router on servers network needs to know the route to 10.8 14:30 < krzee> so when it gets packets from clients it knows where to send them 14:30 < JW> But with that set the clients will see the server as 10.8.* and not 192.168.0.x right? 14:30 < krzee> yes but they will be able to reach 192.168.0 through it if you setup routes 14:30 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 14:31 < JW> BTW we can totally ignore the LAN gateway router (I think) because the server doens't use the LAN gateway: eth-0 (actually eth2) is connected to the internet directly 14:31 < krzee> the other clients in that lan route through the vpn server by default? 14:31 < JW> No all the LAN-only servers have a route that's their gateway 14:32 < JW> router I mean 14:32 < JW> hardware router 14:32 < JW> A cheap DSL router to be exact. 14:32 < krzee> it needs to know how to reach the vpn 14:32 < JW> the router does? 14:32 < krzee> or every lan machine which will be talked to over the lan does 14:33 < krzee> when they get packets from vpn they send to 10.8 in response 14:33 < krzee> but they have no route for it, so it goes to default 14:33 < krzee> default is the router, which needs to know where to send the 10.8 14:33 < krzee> follow the routes 14:33 < krzee> gotta go shower 14:33 < JW> but won't they see the VPN trafic coming in from 192.168.0.2 (let's say) and respond to that address without having anything to to with going back out throgh the gateway? 14:33 < JW> See you, thank you. 14:33 < krzee> no 14:33 < krzee> they will see 10.8.sending.machine 14:34 < JW> krzee: will you be back at any time later? 14:34 < krzee> unless you NAT it 14:34 < krzee> yah every day 14:34 < krzee> but likely late 14:34 < krzee> its 3:30 here now, likely around 2am ill be back 14:34 < JW> Doesn't using a brige setup make all that easier ? :-D 14:34 < krzee> not really 14:34 < krzee> and it adds needless overhead 14:35 < krzee> bbl 14:35 < JW> thanks 14:36 < krzee> btw 14:36 < krzee> even in a bridge the machines need a route back to the machine 14:36 < krzee> they need to know the block of ips goes through the vpn server 14:36 < krzee> so you get the same problem either way, involving routing a subnet in a bridge 14:38 -!- Irssi: ##openvpn: Total of 5 nicks [0 ops, 0 halfops, 0 voices, 5 normal] 14:48 < krzee> on my way out, i take that back 14:48 < ecrist> krzee: not really, a bridge will pass arp broadcasts. 14:48 < krzee> i guess arp handles it 14:48 < ecrist> :) 14:48 < krzee> haha jinx 14:48 < krzee> ;] 14:48 < krzee> shower cleared that up for me 14:48 < krzee> aiight, bbl =] 14:49 -!- mode/##openvpn [+o ecrist] by ChanServ 14:50 -!- ecrist changed the topic of ##openvpn to: OpenVPN | http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release: OpenVPN 2.0.9 14:51 -!- mode/##openvpn [-o ecrist] by ecrist 14:56 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:00 -!- eyeris [i=98df84e8@moose.intercarve.net] has joined ##openvpn 15:00 -!- eyeris [i=98df84e8@moose.intercarve.net] has left ##openvpn [] 15:11 < BoomSie> I'm having an issue with OpenVPN over here & tracked it down with google, a collegue of mine created a ca+crt+key+ovpn+key files for me, but the crt is 0Bytes (empty) ... now I'm wondering if I could reverse the process and generate it myself and send the 'correct' files to put on the server to him 15:11 -!- JW is now known as JW---------- 15:11 -!- JW---------- is now known as JW 15:11 < ecrist> BoomSie: do you have perl installed? 15:11 < BoomSie> create from scratch (taking the certificate basics from the mailserver) 15:11 < BoomSie> jep 15:12 < BoomSie> at least, basic perl the system needs, but I could just pump it up through apt 15:12 < ecrist> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:12 < ecrist> on that page is a link for ssl-admin.tar, which is a perl script I wrote to manage ssl certificates. 15:12 < ecrist> it greatly simplifies the ssl certificate management. 15:13 < ecrist> download it, put it in the same directory as your openvpn server config file 15:13 < BoomSie> ... thanks, I'll take a look at it ( for my private server =) ) but could I generate files and hand it to him so he can add it to the openvpn server for example? Cause I'm a complete noob at openvpn to be honest :( 15:14 < BoomSie> all I know is that every user has his/her own cert/key file 15:14 < ecrist> yeah - read that wiki page, it explains quite a bit. 15:14 * BoomSie reads away, thanks in advance 15:14 < ecrist> BoomSie: that script handles all that for you. 15:14 < ecrist> bbl - away for the drive home (with a stop at the bank) 15:14 < BoomSie> =) ... drive safe ;) 15:15 < BoomSie> and watch your back while at the bank 15:17 < BoomSie> magnificent piece of art you made =) 15:39 < BoomSie> specific question, to anyone reading: my colleague created an OpenVPN certificate for me, which was faulty (ubuntu openssl bug -> empty crt file) ... could I just create a new one myself and send it to him to install it on the OpenVPN server so I can login? 16:03 < ompaul> yeah but .... you need to think about the table: http://openvpn.net/index.php/documentation/howto.html where you search for Key Files 16:03 < ompaul> Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files: 16:03 < ompaul> BoomSie, cos as you need to have particular files on each end 16:04 < ompaul> BoomSie, you make it "not practical" to do it the way you suggest - better for him to update box and start again 16:06 < BoomSie> ay, well, basicly, I started this evening, wanting to JUST generate the whole bunch myself, but then someone told me "if you have the ca.crt, why don't you generate it yourself". Making me believe, I can obtain my own my.crt again, so I can just login without bothering the other guy again\ 16:07 < ompaul> ca.key key signing machine only Root CA key YES 16:07 < ompaul> that line should explain lots 16:09 < ecrist> BoomSie: if you have ca.crt and ca.key (or ca.pem), you can create/sign yourself. 16:09 < ecrist> if you don't, and if it's not your server, you shouldn't, you'll need to have him reissue it. 16:10 < BoomSie> ca.crt & dh1024.pem I have 16:11 < ompaul> no key no go 16:11 < BoomSie> ca.crt though, ONLY contains a key it seems, no common name and stuff 16:11 < BoomSie> I do have a key, my personal one, that's why I'm so confused 16:11 < ompaul> BoomSie, there is a ca.key which is what you really need and if there are other links then you fail 16:11 < ompaul> BoomSie, look at it as a two sided lock 16:12 < ompaul> you got one key and the door is only open to you if the other side of the lock is op 16:12 < ompaul> open 16:12 < ompaul> you don't have the "inner" key 16:12 < BoomSie> oK, so basicly, I can generate it for my own personal key, cause the 'my.key' file does contain the common name and stuff 16:12 < ecrist> BoomSie: ca.crt is an encoded certificate, not the key 16:13 < ecrist> dh1024.pem isn't the key 16:13 < ecrist> no 16:13 < ecrist> let me describe it like so: 16:13 < ecrist> SSL is a chain of keys 16:13 < ecrist> at the top, you have a Certificate Authority 16:14 < BoomSie> (the reason I want so desperately try to get the vpn working is cause there's a deadline monday afternoon and I want to commit code asap. I threw in the error the vpn gave me and 9 out of 10 came back with the latest ubuntu bug: Cannot load certificate file prtg.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM @ google.com/linux ... guess what, the guy who gave me th 16:14 < BoomSie> e key/files USES ubuntu, so this is the story behind, I'm not hacking or anything ... well .. a bit, but white hat then ;)) 16:14 < ecrist> in many organizations, they create their own CA, called a self-signed certificate. 16:14 < BoomSie> I have 4 files: ca.crt client.ovpn dh1024.pem genmyself prtg.crt prtg.key 16:14 < BoomSie> (genmyself is the testing folder I have to get a normal crt) 16:14 < ecrist> that CA certificate has a key. 16:14 < BoomSie> the prtg.crt is EMPTY cause of the bug 16:15 < BoomSie> jep, only a key 16:15 < ecrist> only the CA admins should have access to that key. 16:15 < ecrist> now, that CA certificate and key pair are used to sign CSR, or Certificate Signing Requests. 16:15 < ompaul> BoomSie, please watch ecrist, the general message is, you can't get there from here 16:16 < ecrist> as an end user (man CA admins just do this part for you), you create a CSR yourself, with a key only you keep (you don't send the key with the CSR to be signed). 16:16 < ecrist> the idea is, each side is the only one with access to their key. 16:16 < ecrist> the CA certificiate 'signs' your CSR, and returns a .CRT, certificate, to you. 16:17 < ecrist> so, the key you have, is only for your client key, not the CA key. 16:17 * BoomSie really needs to study again the SSL, feels like a wimp in this moment 16:17 < BoomSie> that I gathered, hoped it would be JUST enough to also create the client pem 16:17 < BoomSie> crt, sorry 16:17 < BoomSie> AAAAA 16:17 < BoomSie> confusion all around =) 16:17 < ompaul> BoomSie, if you read that page it will help you a lot understand the operation 16:17 < ecrist> BoomSie: no, you can't. 16:19 < BoomSie> shitty ... I leave it alone for now, will send him an email + sms ... hope he doesn't get a burnout/heart attack ... pressure is really HIGH on that guy lately =) 16:20 < BoomSie> thought I could avoid needing his assistance, thanks very much guys, I really appreciate the time to get me to understand it, will dig a little deeper in it tomorrow myself. Also the idea of generating a few keys myself for him is completely out of the picture I guess 16:21 < ompaul> BoomSie, yes, what you do is point them to the http://openvpn.net/index.php/documentation/howto.html that just "works" 16:22 < BoomSie> together with this script: https://www.secure-computing.net/wiki/index.php/OpenVPN_Server ? (I mean, the guy REALLY knows his things about openvpn, but he was experimenting/testing last few days on ubuntu with the things we are developing, so this afternoon he 'just' generated it for me. He couldn't know that (k)ubuntu had this bug) 16:25 * BoomSie likes to broaden his knowledge now and then ... until he hits his head SO hard against the wall for completely not knowing the basics behind technology he's working with. Gives him a shock back to reality and urge to read his way into stuff =) 16:31 -!- Irssi: ##openvpn: Total of 6 nicks [0 ops, 0 halfops, 0 voices, 6 normal] 16:45 -!- JW [n=jw@cvs.claborn.net] has quit ["Thanks"] 17:02 -!- JW [n=jw@32.176.55.80] has joined ##openvpn 17:03 < JW> So I have a bridge setup that's almost working, 17:03 < JW> the client can talkto the server: ping and make ssh connections 17:03 < JW> and the server can talk to the client on it's "LAN" address: ping and make ssh connections 17:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:03 < JW> but when the client tries to talk to other hosts on the LAN, there is no response. 17:04 < JW> So I've done something wrong - anyone know what? 17:04 < ecrist> JW, are your VPN clients on the same subnet as the LAN clients? 17:04 < JW> Or have a guess, at least? :-) 17:04 < JW> I'm not 100% sure what you're asking but they are all on 192.168.0.0/24 255.255.255.0 17:05 < JW> including the clients 17:05 < ecrist> ok. 17:05 < JW> the server is using the server-bride config directive and is handing out IPs to the clients 17:05 < JW> only one client at this time 17:05 < ecrist> can you pastebin your client config? 17:05 < JW> certainly what would you like me to use for a pastebin? 17:06 < ecrist> anything 17:07 < JW> Yeah I almost never use one so I don't have any URls bookmarked, hold on I'll find one 17:07 -!- mode/##openvpn [+o ecrist] by ChanServ 17:07 -!- ecrist changed the topic of ##openvpn to: OpenVPN | http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release: OpenVPN 2.0.9 | Please use http://pastebin.com or like for >5 lines. 17:07 -!- mode/##openvpn [-o ecrist] by ecrist 17:10 < JW> I'm working on it. 17:10 < JW> mind if I just give you thr grep -v output? 17:12 < ecrist> sure, curious what you're omitting, though. 17:12 < JW> http://pastebin.com/d2a90e055 17:12 < JW> would have omitted the comments (lots of them) but never mnd they're all there 17:12 < JW> I have changed very little from the default config 17:13 < JW> tcp > udp 17:13 < JW> host name. 17:13 < JW> path to cert. 17:13 < JW> I think that's it. 17:13 < ecrist> can I see the server config? 17:16 < JW> http://pastebin.com/d6f3bbecc 17:18 < ecrist> ok, both look good. you said server and client can ping eachother? 17:18 < JW> yes, and I can ssh between them using the 192.* IP 17:18 < JW> both ways 17:18 < JW> I have the firewall open completely for br0 right now 17:19 < JW> and actually I do for tun0 and tap0 just to avoid any potential problems until I get all the bugs worked out. 17:19 < JW> BTW I'm using this for my guide: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 17:19 < ecrist> ifconfig shows IPs for br0, and tap0? 17:19 < JW> IPs for br0 17:20 < JW> there is no IP on tap0, it's briged with eth3 17:20 < JW> et3 is still working onthe real, local LAN though. 17:20 < ecrist> ok, gimme one minutes 17:20 < ecrist> minute* 17:20 < JW> don't be mislead by the eth3 name, it's only 1 of two NIC (external & internal) 17:21 < ecrist> did you run the bridge-start script? 17:21 < JW> yes 17:21 < JW> on the servre 17:21 < JW> before starting openvpn 17:21 < JW> I manually added iptables -A FORWARD -i br0 -j ACCEPT like the documentation says but it didn't help any. 17:21 < JW> (I don't normally use IPtables directly, I use firehol) 17:22 < ecrist> I'm not a linux/iptables person, so I hope it's not a firewall issue 17:22 < ecrist> can you show me ifconfig output? 17:22 < ecrist> if you want, pm me the pastebin for a bit of privacy 17:23 < JW> Yeah same here. Earlier I had the br0 blocked (more more simply, not expressly opened) on accident and it took me ages to figure it out. 17:23 < JW> good idea 17:23 < JW> You want the server's ifconfig right? 17:24 < ecrist> yes, 17:24 < ecrist> I'm not worried about the client. 17:26 < ecrist> JW: the IPs look weird. 17:26 < ecrist> ther is no 999 in IPv4 17:26 < ecrist> :] 17:26 < JW> ecrist: of course. It's a real address. 17:26 < JW> 9's are just place holders. 17:27 < ecrist> by 'real' do you mean internet-routable? 17:27 < JW> trust me there is nothing wrong with the palin old network config part. 17:27 < JW> yes 17:28 < ecrist> actually, I think that's your problem. 17:28 < JW> I don't think so - I've probably confused you - but pelase explain 17:29 < JW> eth2 is the external NIC. There is no eth0 or eth1 thanks to Debian going weird on me during an upgrade. 17:29 < ecrist> ok, so where's your LAN interface? 17:29 < JW> eth3 17:29 < JW> which is bridged with tap0 into br0 17:30 < ecrist> hrm, OK, so LAN clients can ping 192.168.0 OK?.127 17:30 < JW> yes, exactly 17:30 < ecrist> hrm, OK, so LAN clients can ping 192.168.0.127 OK? 17:30 < JW> even after openvpn is started on the server and client 17:31 < ecrist> and VPN clients can ping 192.168.0.127 just fine? 17:31 < ecrist> but they can't ping eachother? 17:31 < JW> There is only one VPN client, and yes, it can ping 192.168.0.127 17:31 < JW> and the client can ssh to 192.168.0.127 17:31 < JW> also the server can ssh back to 192.168.0.112 which is the VPN client's VPN -given Ip address 17:32 < JW> everything between the client and server s working dandy 17:32 < JW> however the remote VPN client is not able to ping/ssh other hosts on the LAN 17:32 < JW> the client is connected directly to the internet through ppp0. 17:33 < ecrist> it's looking like a firewall problem. 17:33 < JW> The client is NOT on a remote LAN, it's all alone on pp0 17:33 < JW> hmm. 17:33 < JW> like, something isn't being forwarded right? 17:33 < ecrist> yes 17:33 < ecrist> is there a reason you need bridging? 17:33 < ecrist> routed vpns are much easier. 17:34 < JW> Hey, you're right - I turned the firewall off for a sec and the vpn client can ssh directly to anothe machine on the LAN. 17:34 < JW> so it's not even a forwarding or routing problem. 17:35 < JW> Somehow the client is plain old blocked on the server firewall. 17:35 < ecrist> that's a common problem. 17:35 < JW> I wonder what part would control that since I have all of br0 totally open. 17:35 < ecrist> I was looking in to other things because you said you'd turned off the firewall for those interfaces... 17:35 < ecrist> :) 17:35 < ecrist> JW, eth3 and tap0 rules would affect it, as well. 17:35 < JW> for all of br0, tun0, and tap0, yes, it's completely open. 17:36 < JW> something in the eth3 rules must be mudlding with it. 17:36 < JW> 2nd time today the firewall has bitten me. 17:36 < ecrist> you prolly have to allow arp through, amongst other things. 17:38 < JW> Ok excuse me for being dumb - arp is NOT the same as ICMP, right? 17:39 < ecrist> it's it's own protocol 17:39 < ecrist> non-stateful 17:43 < ecrist> I'd just allow all traffic between br0, tap0, and eth3 17:43 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has quit [Nick collision from services.] 17:43 -!- SilenceGold [n=chris@70.232.50.35] has joined ##openvpn 17:43 < JW> all 3 of those already have client all allow. 17:44 < JW> and now all 3 of them have server all allow but it's still not working. 17:44 < JW> There must be some special command to allow arp but I'm not finding it in the docs yet 17:44 < SilenceGold> is it tap or tun? JW 17:45 < ecrist> tap0, SilenceGold 17:45 < SilenceGold> heh 17:45 < ecrist> JW, at least you know it's a firewall issue, now. 17:45 < JW> yes 17:45 < SilenceGold> yea arp packets should go thru tap0 then 17:46 < JW> SilenceGold: do you happen to know how to do that with firehol? 17:46 < SilenceGold> firehol? 17:46 < JW> I guess that answers the Q :-) 17:47 < JW> Well it's working beautifully when the firewall is not in the way. 17:47 < JW> I can't see why everyone says the routed setup is easier than the bridged one. 17:48 < JW> (when you're trying to access LAN clients behind the server) 17:50 < JW> The internal LAN clients can ever ssh back out to the remote VPN client without ever knowing the difference. Fabulous! 17:54 < SilenceGold> JW, the problem with tap is that you can only do one tap to other tap tunnel 17:54 < SilenceGold> tun, you can handle multiple clients 17:54 < SilenceGold> from all over the internet cloud 17:55 < JW> SilenceGold: are you saying you can only have one client at a time? 17:55 < JW> one remote client? 17:55 < SilenceGold> not 100% certain 17:55 < JW> If so, that's ugly. 17:57 < JW> Well thanks for all the help, I gotta run now. 17:57 -!- JW [n=jw@32.176.55.80] has quit ["Thanks!"] 19:31 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 19:33 < kraut> what happened to #openvpn?! 20:08 < SilenceGold> we had problems with authority 20:08 < SilenceGold> so now #openvpn is closed and will be ##openvpn 20:09 < SilenceGold> those who are still online are still in #openvpn but it's +m 21:11 -!- SilenceGold [n=chris@70.232.50.35] has quit [Remote closed the connection] 21:42 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Read error: 110 (Connection timed out)] 21:52 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 22:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Sat Aug 02 2008 00:31 -!- freezer [n=freezer@static.12.72.46.78.clients.your-server.de] has joined ##openvpn 00:31 < freezer> hi 00:32 < freezer> krzee: it seems to run fine with tun now 00:33 < krzee> nice =] 01:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 01:24 -!- freezer [n=freezer@static.12.72.46.78.clients.your-server.de] has quit [Remote closed the connection] 01:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 07:35 -!- Irssi: ##openvpn: Total of 4 nicks [0 ops, 0 halfops, 0 voices, 4 normal] 10:58 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 11:01 -!- daemon [n=paul@laptop2.daemoncore.org] has joined ##openvpn 11:04 < daemon> hey guys im having a weird problem with openvpn 11:04 < daemon> on one my clients 11:04 < daemon> I get this as an error: 11:04 < daemon> Sat Aug 2 17:04:27 2008 Cannot load CA certificate file /usr/local/etc/openvpn/keys/ca.crt (SSL_CTX_load_verify_locations) (OpenSSL) 11:15 < daemon> ah corrupt file nm 13:46 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:36 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:52 -!- daemon [n=paul@laptop2.daemoncore.org] has quit [Read error: 104 (Connection reset by peer)] 16:17 -!- bandini [n=bandini@host208-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 17:49 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 18:40 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:49 -!- _aia_ [n=_aia_@unaffiliated/aia] has joined ##openvpn --- Log opened Sun Aug 03 00:40:11 2008 00:40 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 00:40 -!- Irssi: ##openvpn: Total of 7 nicks [0 ops, 0 halfops, 0 voices, 7 normal] 00:40 -!- Irssi: Join to ##openvpn was synced in 5 secs 01:30 -!- Buzer [n=buzer@cs151132.pp.htv.fi] has joined ##openvpn 01:31 < Buzer> Hello. Does anyone happend to if it's possible to assign clients to different bridge based on their certificate (as I would like to assign clients to different vlans)? 01:56 < Buzer> hmm... Seems client-connect script should solve my problem 01:56 -!- Buzer [n=buzer@cs151132.pp.htv.fi] has quit [] 02:16 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 04:49 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 05:30 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 05:30 -!- bandini [n=bandini@host208-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] --- Log opened Sun Aug 03 09:01:38 2008 09:01 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 09:01 -!- Irssi: ##openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal] 09:01 -!- Irssi: Join to ##openvpn was synced in 12 secs 09:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 09:46 < daemon> hey guys 09:46 < daemon> hola ecrist :) 09:46 < daemon> im about to take my laptop into an enviroment where ill probably be expected to use NAT ?*psh* 09:46 < daemon> have i got to start forwarding ports for my openvpn client to get out to my server 09:46 < daemon> or should I be ok 09:46 < daemon> im using udp as the protocol 09:51 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:35 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 14:00 < SilenceGold> daemon you shouldn't have to forward any ports provided if the NATD is smart at keep-state connections 14:01 < SilenceGold> if you are hosting an openvpn server behind the NATD, you can just port forward a single port that your openvpn server is using 14:20 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:20 -!- _aia_ [n=_aia_@unaffiliated/aia] has joined ##openvpn 14:30 -!- drax` [n=drax@bob.sweon.net] has joined ##openvpn 14:30 < drax`> hi g 14:30 < drax`> hi guys 14:32 < drax`> banging my head against this --> http://dpaste.com/69173/ 14:32 < drax`> I've set it up the same way I've setup dozens of openvpn ... I don't get where this is coming from 14:33 < drax`> openssl verify on the client and servers certs say OK 14:34 < drax`> the ca cert is the same on both sides 14:34 < drax`> any directions appreciated 15:41 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:42 < krzie> anyone here use osx besides me? 15:42 < krzie> ive got an idea 15:42 < krzie> wanna get feedback 15:46 * drax` raises hand 15:47 < krzie> came up with an idea last night 15:48 < krzie> while almost sleeping 15:48 < krzie> the apple remote can be paired to your computer 15:48 < krzie> at that point it could easily be used as the poor man's crypto card 15:49 < krzie> not to replace a pw / certs, as its predictable (not alternating the signal or anything) 15:49 < krzie> but as an addition, it seems easy and nice 15:52 < drax`> Could be fun I suppose 15:53 < drax`> not that usefule in practise though ;) 15:55 < krzie> heh i guess not =/ 15:55 < krzie> i dunno, seems better than no token 15:55 < krzie> but its definatly no usb token 15:58 < drax`> hey krzie you couldn't help me out with this? http://dpaste.com/69173/ 15:59 < drax`> i'm going nuts. It's not like its my first openvpn either... 15:59 < krzie> both configs pls 16:01 < krzie> ouch, why tcp? 16:01 < krzie> (you know the rammifications of tcp over tcp...?) 16:02 < drax`> http://dpaste.com/69197/ 16:02 < krzie> also, you should re-make your certs after reading http://openvpn.net/howto.html#mitm 16:03 < drax`> tcp cuz later on it'll be used with socks5. udp doesn't go over socks :( 16:03 < krzie> ahh 16:03 < krzie> ya i go the other way, i do socks5 over my vpn 16:03 < krzie> if you can get around that, try to at all cost 16:03 < krzie> tcp-over-tcp is very bad 16:04 < drax`> I'm using the easy-rsa from debian, and I've got tons over other vpns generate the same way, that work. I don't get it 16:04 < krzie> http://sites.inka.de/~W1011/devel/tcp-tcp.html 16:04 < krzie> (good read) 16:05 < krzie> build-key-server 16:05 < drax`> my server cert is a server cert 16:05 < drax`> yeah, that's what I used 16:05 < drax`> and build-key for the clients 16:05 < krzie> ahh, then all you gotta do is check for it with ns-cert-type server 16:06 < krzie> but thats not your problem 16:06 < drax`> ok thx, i'll add that 16:06 < krzie> just a god thing to do once your problem is fixed (and on existing vpns) 16:06 < krzie> s/god/good/ 16:06 < drax`> noted :) 16:07 < krzie> your 10. ips are seperate networks right? 16:07 < krzie> (your test setup) 16:07 < krzie> in same network has issues 16:07 < krzie> could be the problem even if everything is setup right 16:08 < drax`> well actually, the original conf was with public ips (and a firewall in between) 16:08 < krzie> oh ok 16:08 < drax`> I changed those to 10... for testing, after it not working 16:08 < drax`> but it didn't help, heh :) 16:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:09 < krzie> ya and you seem to know enough that i dont care if i see real ips or not (its annoying when unskilled people do that cause its sometimes part of their problem) 16:09 < drax`> I understand yeah 16:09 < krzie> ahh dude 16:09 < krzie> server has tls-server 16:10 < krzie> client doesnt know about it 16:10 < krzie> plus, no TLS static file 16:10 < drax`> what annoys me even more is i've done this like 10 times, i even have .sh scripts 16:10 < drax`> mm ok. 16:10 < krzie> thats the problem 16:10 < drax`> what should I do. just 'server' on the server ? 16:10 < krzie> for test you could comment tls-server 16:11 < krzie> but then you'll wanna fix the problem 16:11 < krzie> (by setting up TLS verification correctly 16:11 < krzie> 1sec lemme look at my config 16:12 < krzie> client: 16:12 < krzie> ns-cert-type server 16:12 < krzie> tls-auth /home/krzee/vpn/keys/ta.key 1 16:12 < krzie> server: 16:12 < krzie> tls-auth /home/krzee/vpn/keys/server-ca/ta.key 0 16:13 < krzie> you dont need tls-server and tls-client anymore 16:13 < krzie> at least not in dev branch (which i recommend) 16:13 < drax`> hum, I think it defaults to tls-server. If I comment it out on the server, errors stay the same 16:14 < drax`> wait lemme setup another client, this tunnelblick on osx is pissing me off :) 16:14 < krzie> oh dude i hate that app 16:15 < krzie> i just use a .command file 16:15 < krzie> (sh scripts named .command can be double clicked) 16:15 < drax`> damn, that's some protip 16:16 < krzie> ya its nice and lazy when you have 20 .command scripts in stacks 16:16 < drax`> I'll probably get round to doing that. it's always crashing i hate it 16:16 < krzie> haha 16:16 < krzie> i tried tunnelblick once, wont be doing it again 16:16 < krzie> also 16:17 < krzie> dont forget to tell openvpn to drop privs 16:17 < krzie> user nobody 16:17 < krzie> group nogroup 16:17 < drax`> true dat 16:17 < krzie> for server and client 16:17 < krzie> (whatever sandbox account you use) 16:18 < drax`> yeah, this one in particular is for an NIDS 16:18 < drax`> would be silly to get owned this way :) 16:18 < krzie> NIDS \ ? 16:19 < drax`> network IDS 16:19 < krzie> ahh, lol 16:19 < krzie> ya would be funny way to go down 16:20 < krzie> oh also 16:20 < krzie> keyx doesnt happen overly often 16:21 < krzie> so increasing to say 4096 isnt very expensive 16:21 < krzie> (only expensive during key creation) 16:21 < drax`> where is that set ? 16:21 < krzie> your DH key, your TLS static key, your cert generating 16:22 < krzie> (the RSA sig) 16:22 < drax`> oh sorry, I misread 16:22 < drax`> yeh ok, size matters ;) 16:22 < krzie> hahah 16:23 < krzie> its one of those things where it doesnt hurt you any to increase it, so may as well 16:23 < krzie> its only during keyx that it increases overhead 16:23 < drax`> wait, those lines you pasted. its for a server-server config ? 16:23 < drax`> ie not a roadwarriors config ? 16:23 < krzie> the client can be whatever 16:24 < krzie> another server, or a remote laptop in unknown lands 16:25 < drax`> but you use a pkcs12 file right ? 16:25 < krzie> nah 16:25 < drax`> hurm 16:26 < krzie> in fact, ive gotta google that to see what it would be 16:26 < krzie> heh 16:26 < krzie> like where it would go in the auth 16:27 < krzie> ahh diff style of key file 16:27 < drax`> grah, I'm going nuts, my config works everywhere execpt now 16:27 < krzie> nah i use 4096 RSA 16:28 < krzie> try rebuilding your certs 16:28 < krzie> and inclue a TLS static key 16:28 < krzie> depending on if its dev branch or stable i think syntax for TLS static key differs 16:28 < krzie> the one i pasted is for dev 16:29 < krzie> IIRC stable branch would want tls-client and tls-server 16:29 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 16:29 < drax`> if just got whatever's in the debian package (stable). It's not like I'm _asking_ for trouble or anything :) 16:29 < krzie> in mine its the 0 and 1 after tls-auth /home/krzee/vpn/keys/ta.key 1 16:29 < krzie> 1 being client 16:30 < drax`> ok 16:30 < krzie> also, your debian has updated ssl right? 16:30 < krzie> (the debian specific SSL issue) 16:30 < drax`> yeh, fresh install, updated 16:30 < drax`> and the bells and stuff 16:31 < krzie> the dev branch is worth using btw 16:31 < krzie> imo 16:31 < krzie> not that you have to, but i would / do 16:31 < drax`> ll 16:31 < drax`> woops 16:31 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 16:32 < krzie> [Openvpn-devel] OpenVPN 2.1_rc9 released -- note security fix James Yonan 0 2008-08-01 06:41 16:32 < krzie> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 16:34 < drax`> security fix ey 16:34 < krzie> hrm, i think imma paste my configs to my webserver 16:34 < krzie> will come in handy often for showing in here 16:34 < drax`> ok I'm gonna re-gen all my configs and certs 16:35 < drax`> I'm pretty sure I'm gonna hit the same wall and it's gonna piss me off :) 16:35 < drax`> fg 16:35 < drax`> rah, sorry :) 16:36 < krzie> lemme show you my configs too 16:36 < krzie> once i post them 16:40 < drax`> ok static keys work 16:40 < drax`> but that doesn't help me, cuz that's not the setup I want 16:40 < drax`> gonna try again, with easy-rsa package 16:49 < krzie> http://www.ircpimps.org/openvpn.configs 16:50 < krzie> no no 16:50 < krzie> the TLS static keys are additional security 16:50 < krzie> not replacement 16:50 < krzie> it compliments your setup 16:52 < krzie> doesnt replace your certs or anything 16:55 -!- _aia_ [n=_aia_@unaffiliated/aia] has quit ["Bye"] 16:55 < krzie> that will give you HMAC sigs 16:56 < krzie> # For extra security beyond that provided 16:56 < krzie> # by SSL/TLS, create an "HMAC firewall" 16:56 < krzie> # to help block DoS attacks and UDP port flooding. 16:56 < krzie> # 16:56 < krzie> # Generate with: 16:56 < krzie> # openvpn --genkey --secret ta.key 16:56 < krzie> # 16:56 < krzie> # The server and each client must have 16:56 < krzie> # a copy of this key. 16:57 < krzie> # The second parameter should be '0' 16:57 < krzie> # on the server and '1' on the clients. 16:57 < krzie> ;tls-auth ta.key 0 # This file is secret 16:57 < krzie> basically, unless each packet is signed with that, openvpn wont even process it 16:58 < krzie> i have a feeling that would help against attacks against potential daemon security issues too (unless the security issue was in HMAC processing) 17:03 < drax`> yeh I saw 17:03 < drax`> ok I think I've got progress 17:04 < krzie> personally i use 4096 keys everywhere, but im a freak like that 17:04 < drax`> error=self signed certificate in certificate chain 17:04 < drax`> I don't think I had that before 17:04 < krzie> but ild use 1024 just for testing cause they're so much faster to generate 17:05 < krzie> odd 17:06 < krzie> paste whole thing? 17:06 < krzie> also for testing you should raise your verbosity 17:06 < krzie> to 6 or so 17:06 < krzie> you can go back down when everything works 17:06 < krzie> i leave mine at 4 for everyday usage, but lower is fine when everything is good 17:07 < krzie> (i see your client had 1) 17:07 < drax`> http://dpaste.com/69211/ <-- client 17:08 < drax`> http://dpaste.com/69212/ and server 17:08 < krzie> k, server and both logs pls 17:10 < krzie> and up the verb to 6 17:10 < krzie> before posting logs 17:10 < krzie> verb = high for debugging 17:12 < drax`> http://dpaste.com/69213/ <-- server logs with verb 6 17:13 < krzie> can you switch to udp just for the testing of configs? 17:13 < drax`> http://dpaste.com/69214/ <-- client with verb 6 17:13 < drax`> yeah 17:14 < krzie> actually nm 17:14 < krzie> doesnt matter 17:14 < krzie> now that i see client log 17:16 < drax`> yeh, I switched but the errors stay the same 17:18 < krzie> both boxes have the correct time/date? 17:18 < krzie> can be checked or fixed by using ntpdate time.nist.gov 17:19 < drax`> hurm yeah the timezone is wrong on one 17:21 < krzie> that could do it 17:21 < drax`> wtf, after ntpdate it's ever more wrong :) 17:21 < krzie> whats more wrong? 17:22 < krzie> and how much was the time off as reported by ntpdate 17:22 < drax`> the time, it's like half a day off :) 17:22 < drax`> was only two hours off before 17:22 < drax`> gonna fix it 2s 17:23 < krzie> no the time is correct as related to GMT 17:23 < krzie> aka UTC 17:23 < krzie> your timezone is off 17:23 < krzie> http://www.debian-administration.org/articles/213 17:24 < krzie> ntpdate will make your clock correct, if date then shows it as diff than you expect, you need to fix your TZ 17:25 < drax`> yeah that's waht I meant, the damn thing requires a reboot though :( 17:26 < krzie> nah you should be find with just tzselect 17:26 < krzie> i dont use debian but i cant remember ever rebooting gentoo or fbsd after changing the TZ 17:26 < krzie> its just an offset from UTC 17:28 < krzie> http://wiki.debian.org/TimeZoneChanges 17:30 < krzie> either way, openvpn doesnt care if the timezones are set, agree or anything 17:31 < krzie> once both agree on UTC time you're fnie 17:35 < drax`> k, well tiem is set according to time.nist.gov 17:35 < krzie> same error? 17:35 < drax`> yep 17:38 < drax`> hurm wait no, I'm not getting the same time depending on the shell. 17:38 < drax`> ffs.. 17:39 < krzie> just run that command on both 17:39 < krzie> well 17:40 < drax`> well, that I did. but the timezone is off 17:40 < krzie> doesnt matter 17:41 < krzie> (for this) 17:42 < drax`> yeah it was the TLS Error: Unroutable control packet received 17:42 < drax`> but I don't seem to be getting those anymore 17:43 < krzie> interesting 17:43 < drax`> in fact I'm seeing stuff about 'P_CONTROL_V1' so I suppose those "control" packets are going through 17:48 < drax`> hurm wait I think my CA is broken because of the whole timezone thing 17:48 < drax`> I've gone back in time now, it's "not yet valid" 17:48 < krzie> oh 17:48 < krzie> it was generated on the machine that was off? 17:48 < krzie> that got updated by ntpdate? 17:48 < drax`> yeh 17:48 < krzie> yup 17:48 < krzie> time to make them again ;] 17:49 < krzie> at least you'll be a cert generating pro ;] 17:49 < drax`> 4th time's a charm.. 17:52 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has joined ##openvpn 17:56 < drax`> raaaah it works \o/ 17:57 < drax`> so in the end it was probably all because of my time being off... grrr 17:57 < drax`> thx for the input krzie 17:58 < drax`> it's only 1 in the morning... :) 17:58 < krzie> np man =] 17:58 < krzie> 7pm here 17:59 < krzie> although 1am is closer to the time i shine 17:59 < krzie> haha 17:59 < krzie> im only alive at this time cause of coffee (<-- nocturnal) 18:05 < krzie> drax, its still a good thing you had the problem 18:05 < krzie> cause now you know a few more things to do to make your setup better 18:05 < krzie> which ild say is worth any time you spent troubleshooting 18:05 < krzie> especially since you have multiple setups 18:10 < drax`> yeah no, I must agree I learnt quite a bit 18:10 < drax`> but I'm taking the plane in two days with this box, I would rather have not lost those precious hours :D 18:10 < drax`> but nevermind :) 18:11 < drax`> yeah thanks for those extra tips, I'll add a tls-auth 18:11 < drax`> and I made 4096bit keys, "because I can" :p 18:12 < krzie> =] 18:13 < krzie> yup 18:13 < krzie> doesnt hurt you any 18:13 < krzie> and as you mentioned, its the size that matters ;] 18:15 < drax`> well unless you've got some twat commenting out lines in mt_rand.c, but that's not the subject :P 18:18 < krzie> haha 18:34 < krzie> <-- loves some twat 18:34 < krzie> o_O 18:49 < drax`> That's a troll that'll last for ages :) 18:50 < drax`> http://blog.rominet.net/images/debiancat3.jpg 18:50 < krzie> hah 18:51 < krzie> www.ircpimps.org/pimpin.jpg 18:51 < drax`> mad photoshop skillz I see 18:51 < krzie> lol no actually i suck at art 18:51 < krzie> i had a guy i gave free hosting to to do all my art stuff 18:51 < krzie> haha 18:54 < krzie> it would be a stick figure if left up to me 18:54 < krzie> lol 19:10 -!- krzie [i=krzee@unaffiliated/krzee] has quit ["BitchX: causing all sorts of havok!"] 19:43 -!- drax` [n=drax@bob.sweon.net] has left ##openvpn [] 22:19 -!- Irssi: ##openvpn: Total of 8 nicks [0 ops, 0 halfops, 0 voices, 8 normal] 22:19 < ecrist> yawn. 22:20 < ecrist> have a good night. --- Day changed Mon Aug 04 2008 00:28 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:11 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:21 < kraut> moin 02:46 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 04:17 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 04:17 < kexman> hi 04:17 < kexman> im using openvpn as a client under linx 04:17 < kexman> *linux* 04:17 < kexman> and im having problems with /etc/resolv.conf 04:18 < kexman> since my router is overwriting it from time to time 04:18 < kexman> i set search and openvpn dns server so i can find stuff inside my network 04:19 < kexman> but the dhcp client on my laptop overwrites stuff 05:01 < krzee> i dont know linux all that well but in the conf.d file for dhcp you can turn that off 05:02 < krzee> you can tell it not to override your NS stuff 05:09 < kexman> krzee: hmm 05:09 < kexman> but some times i need it to override :) 05:09 < kexman> like when i dont know the ip of the openvpn server :) 05:10 < kexman> well not that that changes but i dont like to enter ips in my openvpn config 05:10 < kexman> i like to enter dns hosts 05:10 < kexman> krzee: i need dns resolution 05:11 < kexman> before i can get onto the openvpn network and use my localnetwork dns server 05:28 < krzee> http://www.phocean.net/?p=12 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 < kexman> krzee: thanx 06:02 < kexman> ill bookmark that page for later use 06:02 < kexman> it seems good 06:10 < krzee> np 06:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 07:14 -!- snejk [n=snejk@f213-89-26-57.bredband.comhem.se] has joined ##openvpn 07:26 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 07:27 < vlt> Hello. I got some strange error messages on one client today: "TLS Error: unknown opcode received from xxx.xxx.81.182:1197 op=22" and "Authenticate/Decrypt packet error: packet HMAC authentication failed". Any idea what could cause this? 07:37 -!- snejk [n=snejk@f213-89-26-57.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 07:41 < ecrist> vlt: what does the google say? 07:41 < ecrist> that message comes up with about 538,000 hits in google 07:47 < kexman> vlt: uuu wait i had something like that before 07:48 < kexman> but i cant remember what was the problem 07:48 < kexman> but i fixed it using google :) 07:50 -!- Edward123 [n=edward@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 07:50 < Edward123> hey 07:50 < Edward123> i've setup openvpn elsewhere, i can connect up fine (using ethernet bridging) and see other machines by IP but for some reason the netbios stuff isn't working? 07:50 < Edward123> i notice the TAP adapter doesn't have a gateway set, should it? would that make a difference? 07:51 < ecrist> Edward123: if you're using correct IP addressesing (all on the same subnet), NetBIOS should be fine. 07:51 < ecrist> gateway is only needed for off-network communication. 07:51 < Edward123> actually i think netbios might be OK 07:51 < Edward123> yes, it's just we're on seperate 'workgroups' 07:52 < Edward123> sorry about that heh 07:52 < Edward123> openvpn is great 07:56 < kexman> really great :) 07:56 < kexman> Edward123: that is cause hmm wait with bridging you should be able to see broadcast 07:57 < kexman> :) lol Edward123 put the same workgroups :) 07:58 < Edward123> heh kexman 07:58 < Edward123> now i realise it's not an issue 07:58 < Edward123> openvpn is a really good piece of light software that does a great job for free 07:59 < Edward123> i tried to implement windows native VPN and it was a bitch 07:59 < Edward123> not to mention the fact that windows XP doesn't even support SSL VPN natively 07:59 < Edward123> openvpn took half the time and was twice as good 07:59 < Edward123> and works with other devices too 07:59 < ecrist> Edward123: windows natively supports PPTP, which used to be the standard 08:34 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 08:34 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 08:36 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 09:04 < Edward123> ecrist, sure, i've read that 09:05 < Edward123> but who wants PPTP when you can have SSL? 09:05 < ecrist> Edward123: what I'm saying is that it's not windows-specific. Macs and others support PPTP by default. I agree, using SSL keys is better. 09:14 < cpm> macs and windows also do l2tp/ipsec, which is arguably much better than pptp, buy an order of magnitude. A lot trickier to implement than openvpn however. 09:16 < ecrist> cpm, pm? 09:17 < Edward123> ##vpn-politik 09:18 < Edward123> i haven't really got to grips with the openvpn gui yet 09:19 < Edward123> all it seems to do is proxying 09:20 < Edward123> maybe that's all it's supposed to do 10:47 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:48 < ecrist> cpm, you around? 11:04 -!- Edward123 [n=edward@host81-149-214-135.in-addr.btopenworld.com] has quit ["zzz"] 12:11 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 12:27 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 12:35 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 12:51 < xattack> i'm having some problems to use openvpn with ipv6 protocolo , is this wrong ? computer 1 : openvpn --remote 2001:1218:1:6:211:11ff:fe2b:40f2 1194 --tun-ipv6 --dev tun --ifconfig 10.4.0.1 10.4.0.2 --verb 9 and for computer2 openvpn --remote 2001:1218:6:2c0:4fff:fead:dcd2 1194 --tun-ipv6 --dev tun0 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 12:52 -!- Irssi: ##openvpn: Total of 12 nicks [0 ops, 0 halfops, 0 voices, 12 normal] 12:52 * ecrist has no ipv6 openvpn experience, yet. 12:52 < xattack> any feedback is welcome 12:52 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 12:53 < ecrist> xattack: can you put that into normal configuration and pastebin it? 12:53 < ecrist> it's easier to read that way 12:53 < xattack> ok 12:53 < xattack> computer 1 debian 12:55 < xattack> openvpn --remote 2001:1218:1:6:211:11ff :fe2b:40f2 1194 --tun-ipv6 --dev tun ---ifconfig 10.4.0.1 10.4.0.2 --verb 9 12:55 < xattack> computer 2 openBSD 12:56 < xattack> openvpn --remote 2001:1218:1:6:2c0:4fff :fead:dcd2 1194 --tun-ipv6 --dev tun ---ifconfig 10.4.0.2 10.4.0.1 --verb 9 12:56 < ecrist> xattack: pastebin.com, please 12:56 < xattack> ok let me chek it 12:57 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 13:49 < xattack> ecrist: sorry , takes a lot, but at least , there is in pastebin.com ,thx ! 13:49 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 13:49 < xattack> http://pastebin.com/m4eecad33 13:52 < xattack> any idea , feedback , recommendation are welcom 13:53 < ecrist> xattack: line 408 in your paste leads me to believe it can't find the other host... 13:57 < xattack> yeah ,and thats the problem , in ipv4 works fine , without problem , but in ipv6 in dont know why is not founding the other host , any idea ? 13:58 < ecrist> xattack: can you ping back and forth via IPv6? 13:58 < xattack> yes 13:58 < ecrist> sometimes, you have to enclose IPv6 addresses in square brackets, depending on what's going on. 13:59 < xattack> ok , let me try it , you're right ! 14:00 < ecrist> so, you got it workings? 14:00 < ecrist> working* 14:01 < xattack> not yet , one moment , please , thx! 14:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:04 < xattack> ecrist: not working , men , still saying [HOST_NOT_FOUND] , cannot resolve host address , sorry 14:04 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 14:04 < ecrist> xattack: check the FAQ on the openvpn page - limited ipv6 support. 14:04 < ecrist> The VPN carrier connection must currently use IPv4 endpoints, however there's a patch 14:05 < xattack> i have done my homework , i think , but im gonna doublecheck the sources 14:07 < ecrist> well, it appears that you're trying to use IPv6 endpoints - which isn't supported. 14:07 < ecrist> :\ 14:07 < ecrist> and it states that in the FAQ 14:12 < xattack> ecrist: yeah , whe i use them in ipv4 , its works well , no problem there , where did you found the patch ? 14:12 < xattack> =0 14:12 < ecrist> xattack: I didn't, that was a copy out of the FAQ, which I'm sure you read, did you did your homework... 14:13 < ecrist> s/did/since/ 14:13 < krzee> heh 14:14 < krzee> mind reader :-p 14:14 < ecrist> xattack: please go and read the FAQ from the openvpn main site. 14:14 < krzee> http://www.google.com/search?hl=en&q=ipv6+patch+openvpn&btnG=Google+Search 14:14 < xattack> jajaja ok men , im gonna check it again , thx a lot for all ! =) 14:15 < xattack> byte ! 14:15 -!- xattack [i=root@132.248.108.239] has quit ["Leaving"] 14:19 -!- snk00sj [n=gnelisse@47.184-243-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 14:20 < snk00sj> hi, i am trying to setup a "roadwarrior" connection using openvpn 2.1 rc7 (on both sides) but keep getting handshake errors : TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 14:20 < ecrist> um, it's an ssl problem. 14:20 < ecrist> can you post your server and client configs to pastebin, please? 14:21 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:21 < snk00sj> clientside : http://www.pastebin.be/13178 14:24 < ecrist> ok, you're missing some very important pieces of information. 14:24 < ecrist> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:24 < ecrist> you need to have ssl configured and certificates distributed. 14:24 < ecrist> nowhere within your config do I see mention of your ssl certificates. 14:25 < snk00sj> the p12 file contains all the encryption 14:26 < ecrist> well, your log entry above seems to indicate something is missing. 14:37 < snk00sj> hmm i got it working, looking at a thread : http://community.smoothwall.org/forum/viewtopic.php?f=55&t=29141 14:37 < snk00sj> clientconfig stays the same 14:46 -!- snk00sj [n=gnelisse@47.184-243-81.adsl-dyn.isp.belgacom.be] has quit [Read error: 60 (Operation timed out)] 14:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:56 -!- kreg_work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 14:57 < kreg_work> everytime i run revoke-full i get a new crl.pem. It appears to be a single private key when i look at it. Do i need to append this key to a larger crl.pem every revoke? 15:01 -!- mighty-d [i=500@63.58.83.190.static.coldecon.com] has joined ##openvpn 15:01 < mighty-d> Hi 15:01 < mighty-d> i want to deploy a vpn between my girlfriend's house and mine. I was reading and it seems using PPTP is an intruder's magnet, do you suggest IPSec or i can go with SSL, my concern is if the extra complexity of IPSec is worth it 15:03 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has joined ##openvpn 15:03 < tcccp> o.O 15:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:38 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 16:34 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 16:38 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 16:40 < ecrist> kreg_work: no, that's the entire revokation list 16:40 < ecrist> there's not a lot of data there, mostly serial numbers of certificates that have been revoked. 16:40 < kreg_work> ok 16:40 < kreg_work> figured something like that. all iv'e done in the past is just overwrite the old 16:41 < ecrist> mighty-d: OpenVPN will be sufficient with ssl certificates. 16:41 < kreg_work> ssl should secure all the dirty talk 16:41 < ecrist> that's all you need to do, kreg_work. Also, be sure to point your openvpn server config to the file. 16:42 < ecrist> mighty-d: I'm guessing it's for web-cam type stuff. If that's the case, you should send me an ssl certificates, so, um, I can, uh, help you test it. 16:42 < kreg_work> ecrist: do all the keymaking and revokeing on a seperate machine. i manually move the crl.pem to the new server and restart openvpn. 16:42 < ecrist> yeah, help you test it 16:42 < kreg_work> >: P 16:44 < ecrist> kreg_work: you don't need to restart openvpn for each revoke - it's read dynamically at each ovpn connection. 16:45 < kreg_work> funny, i just read that too 16:45 < kreg_work> heh 16:45 < ecrist> also, storing the key building on another machine is a good idea - you should, theoretically, make the CRL public, fwiw. 16:45 < kreg_work> out of the can i think it was a 644 16:45 < kreg_work> so it was readable and i just left it alone 16:46 < ecrist> kreg_work: I mean, if you use your CA for website/mail server/etc, you should be placing that file on the net. 16:46 < ecrist> there's a field in your root certificate for CRL URI - that should be kept up to date. 16:47 < kreg_work> oh i never knew that 16:47 < kreg_work> we use ssl certs for our domains. mail/web 16:47 < kreg_work> but i've never signed one to inclue a url 16:48 < ecrist> it only applies to your root CA certificate 16:48 < kreg_work> i c. makes sense 16:49 < ecrist> well, intermediary signing authorities, as well. 16:58 < mighty-d> ecrist, lol, thanks 16:59 < mighty-d> ecrist, as a matter of fact it is for a boring purpose, i just want to learn how to do this and thats all 16:59 < ecrist> that's no fun 17:00 < ecrist> it's pretty straight forward - you just have to know a bit about networking and get the right holes punched into the firewalls. 17:02 < mighty-d> ecrist, ok, so i should go with ssl? 17:02 < mighty-d> ipsec its kinda scary 17:03 < ecrist> IPsec is pretty damn tricky to set up. ssl is far easier. 17:03 < mighty-d> :) 17:03 < mighty-d> ok, ssl will do it 17:04 < ecrist> mighty-d: look here: https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 17:04 < mighty-d> the thing i dont like with ssl is the PKI and the not trusted CA 17:04 < ecrist> gives a bit of a how-to. 17:04 < ecrist> mighty-d: there's a HUGE misconception with SSL and CA certificates. 17:04 < mighty-d> why do you say so? 17:04 < ecrist> well, let me describe it this way. 17:05 < ecrist> what do you mean by '...and the not trusted CA?' 17:06 < mighty-d> well you know, i have to deploy a CA because i wont expend money on verisign or the others, and now if i use client-to-lan they will be warned about a non trusted CA 17:06 < mighty-d> the other way to go is to use autosigned certificates, but thats even worse ;) 17:06 < ecrist> where is this certificate trusted? 17:07 < mighty-d> i think i understand your point 17:07 < ecrist> what I'm getting at is what you are calling trusted is simply what's been 'included' with your web browser 17:07 < mighty-d> yeah 17:07 < ecrist> you don't *really* know where those certificates come from. Only that you've been told to trust them. 17:08 < mighty-d> but, im not worried about you and me 17:08 < mighty-d> im worried about the people that doesnt get this 17:08 < ecrist> what are you worried about? 17:08 < mighty-d> well, not that it really matters on this deployment 17:08 < ecrist> you're concerned right now with openvpn and using ssl, right? 17:08 < mighty-d> yes. 17:08 < ecrist> you're actually *more* secure by building a self-signed CA (root) certificate and signing client keys with that. 17:09 < ecrist> because 100% of the process is done by you, within your own organization (or living room). 17:09 < mighty-d> lol 17:09 < ecrist> there is no part of the signing process outside your own control. 17:09 < mighty-d> ecrist, i totally agree with you 17:09 < ecrist> when you roll out your client packages, you include four files 17:10 < ecrist> 1) client certificate, 2) client key, 3) client config, and 4) the ca certificate. 17:10 < ecrist> including the ca certificate tells openvpn to trust it. 17:10 < mighty-d> ecrist, so they will never get a warning... 17:10 < ecrist> your users (girlfriend) isn't going to get any popups about that certificate not being 'trusted' 17:11 < ecrist> no 17:11 < ecrist> let me use an example, with my site. 17:11 < ecrist> go to https://www.secure-computing.net 17:11 < ecrist> you're going to get a warning. 17:11 < mighty-d> hmmm actually i didnt 17:11 < ecrist> "WARNING: the sky will fall, virgins will be raped, and all your sugar will harden in the box." 17:11 < mighty-d> lol 17:11 < ecrist> did you already go to my site earlier? 17:12 < mighty-d> lol, of course you gave me the link 17:12 < ecrist> oh, that's right. 17:12 < mighty-d> :) 17:12 < ecrist> what browser are you using? 17:12 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit ["Leaving"] 17:12 < mighty-d> firefox 17:12 < ecrist> don't worry, I'm going to hack you or anything lame like that. 17:13 < ecrist> ff 3? 17:13 < ecrist> or 2? 17:13 < mighty-d> you dont want to know (1.5) ;) 17:13 < ecrist> ok, let me find a copy of it. 17:15 < ecrist> hrm, I can't 17:15 < mighty-d> lol 17:15 < mighty-d> ecrist, dont worry 17:15 < mighty-d> i think i understand your point 17:16 < ecrist> when you're on my website, do you have a lock icon in one of the tool bars? 17:16 < mighty-d> yeah 17:16 < ecrist> probably down in the lower right corner? 17:16 < ecrist> click on that 17:16 < ecrist> should give you page info 17:16 < ecrist> maybe have security tab selected? 17:17 < ecrist> what I'd like you to do is select the 'view certificate' button 17:18 < mighty-d> yes, im looking at the cert now 17:18 < ecrist> and, what does your browser say, regarding how that cert is trusted? 17:19 < mighty-d> well, it says i trusted it for the pourpose of authenticating your site 17:20 < ecrist> ok, if you look, you'll see that it was signed by SCN Root Certificate Authority 17:20 < mighty-d> yes 17:20 < ecrist> the reason you originally got the popup/warning, was that your browser didn't have the SCN Root Certificate Authority pre-installed. 17:21 < ecrist> if you were to download and install https://www.secure-computing.net/scn-root.crt from my site, you will then trust *any* certificate signed by SCN Root Certificate Authority 17:22 < ecrist> this would include various services I've got running, including OpenVPN, https, smpts, imaps, and pop3s 17:22 < ecrist> because all the certificates I use are signed by the same CA certificate. 17:22 < mighty-d> of course 17:22 < ecrist> what *more* secure about this, is I give my root certificate out to my users, friends, and family. 17:23 < ecrist> I've got all my keys stored off the servers my information is served from. 17:24 < ecrist> I personally certify my content. While you don't know me, we could talk on the phone, verify fingerprints, etc, and at least in my opinion, that's a more closely guarded/guaranteed certificate chain that what verisign offers. 17:24 < ecrist> but, I'm done ranting, gotta run the kid to grandma's 17:24 < ecrist> good luck 17:26 < mighty-d> thanks a lot ecrist 17:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:58 -!- mighty-d [i=500@63.58.83.190.static.coldecon.com] has quit ["Gotta go"] 18:43 -!- SilenceGold [n=chris@adsl-70-232-50-35.dsl.ltrkar.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 18:47 -!- SilenceGold [n=chris@70.232.50.35] has joined ##openvpn 19:06 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 20:56 -!- mszathmar [n=mszathma@S0106001d7e2f9523.ok.shawcable.net] has joined ##openvpn 22:40 -!- mszathmar [n=mszathma@S0106001d7e2f9523.ok.shawcable.net] has quit ["Leaving"] --- Day changed Tue Aug 05 2008 00:12 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:56 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn --- Log opened Tue Aug 05 07:32:18 2008 07:32 -!- ecrist [n=ecrist@chunk.secure-computing.net] has joined ##openvpn 07:32 -!- Irssi: ##openvpn: Total of 17 nicks [0 ops, 0 halfops, 0 voices, 17 normal] 07:32 -!- Irssi: Join to ##openvpn was synced in 15 secs 07:40 -!- mmm4m5m [n=ububam@83.228.48.24] has joined ##openvpn 07:43 < mmm4m5m> hi all. Could you please help me with openvpn client config? Shortly: there win server and win client, both working. Now trying to setup linux (ubuntu) client using windows client config file. Looks fine, except ifconfig does not show me openvpn interface 07:44 < mmm4m5m> I am very beginner with linux/ubuntu 07:47 < mmm4m5m> anyone? maybe it is simple question... yesterday I install vpnc (Cisco VPN) and setup was very easy (again port settings from my win PC) 08:00 < Edward123> cpm... re restarting the network service, it serves as a local iis asp.net & mysql server 08:01 < Edward123> i just tried a reboot infact, heh 08:01 < Edward123> typical windows problem resolution move 08:03 < Edward123> cpm, a reboot didn't resolve the issue 08:03 < Edward123> heh cpm 08:03 < Edward123> re ethernet bridging, i'll explain: ethernet bridging ftw! when it worked, it worked splendidly 08:04 < mmm4m5m> here my config file and terminal screen log entries: http://pastebin.com/m27d94190 08:04 < mmm4m5m> 1) I did: sudo openvpn --mktun --dev tap0 --dev-type tap (but I am not sure do I need it) 08:04 < mmm4m5m> 2) ifconfig does not show tap0 (but 'ifcofnig -a' do show it). Do I have to ifdown/ifup? Do I have to setup IP address manually? 08:04 -!- mmm4m5m [n=ububam@83.228.48.24] has quit ["Leaving."] 08:04 < ecrist> wow, he's a bit impatient. 08:05 < cpm> heh 08:07 -!- edeca [n=david@emo.two-pebbles.com] has joined ##openvpn 08:07 < Edward123> hrm so any more thoughts on my error? i'm not even sure the error is fatal... maybe it's a red herring but the client can't connect so.... 08:07 < Edward123> i don't have a clue 08:08 < Edward123> the openvpn can't connect to the openvpn server, they could previous but something has changed 08:09 < ecrist> Edward123: is it something you changed, or external to you? 08:09 < Edward123> ecrist, well not knowingly 08:09 < Edward123> i think the machine may have been restarted but that's it 08:10 < ecrist> I came in to this in the middle, but, what's going on/not working? 08:10 < Edward123> [10:28] my vpn server is starting but nothing can connect. when it starts up i see the error: Tue Aug 05 10:12:16 2008 NOTE: FlushIpNetTable failed on interface [14] {8FD49F1D-6F9D-42F2-AA01-294EF7A3D726} (status=1168) : Element not found. 08:11 < Edward123> this is windows 2k8 with ethernet bridging 08:11 < ecrist> ooh, windows as a vpn server, yuk 08:13 < Edward123> i'm running the latest release candidate 08:13 < cpm> yup. I keep telling him that since windows has such an excellent community, to address his questions there, but he doesn't listen. 08:13 < cpm> Oh, and not even running stable code? 08:14 * cpm kicks Edward123, really hard. 08:14 < Edward123> cpm, the stable code doesn't work well with vista/2k8 08:14 < cpm> Try running the stable code, why dontcha? 08:14 < Edward123> it can't do the routing 08:14 < cpm> there is no routing in a bridge. 08:14 < Edward123> yeesh you think i'd use unstable code without good reason? 08:14 < Edward123> hmm 08:15 < edeca> Argh. Latest openvpn on client and server. I can nslookup domains, including the HTTP proxy called 'foobar' from the client (winxp). IE/Firefox can't look up the proxy by name though. Have I hit: http://support.microsoft.com/kb/311218 ? 08:15 < Edward123> why exactly does openvpn need to FlushIpNetTable? 08:15 < cpm> Sure, you use windows for no reason I can ascertain. So, yeah, of course. 08:15 < Edward123> heh 08:15 < Edward123> you cut me deep 08:15 < ecrist> Edward123: there are a number of things wrong with your setup. 08:15 < cpm> heh 08:15 < cpm> ecrist, yup. a lot. 08:15 < ecrist> first, you're using RC code - it's not released and won't be supported as such. 08:16 < ecrist> second, you're using windows as a vpn server - you should be tarred and feathered. 08:16 < Edward123> ecrist, if that's the case why is there a windows release? 08:16 < ecrist> third, there is no routing involved with bridging, quit trying to route. 08:16 < Edward123> openvpn is a project entirely developed by masochists? 08:16 < ecrist> lol 08:17 < ecrist> masochists? 08:17 < Edward123> ye ye 08:18 < Edward123> OK, windows machines are the only ones i have available to me here. i will eventually get a linux machine on the network here but not right away, so i have to work with this 08:18 < Edward123> however, i take your point about not using the RC when the routing isn't needed so i'll downgrade and test again 08:18 < ecrist> then start by using the 2.0.9 release code. 08:18 < Edward123> ^ 08:20 < edeca> Anybody got an idea why client apps can't do DNS resolution through openvpn when nslookup can? winxp, not sure if it's related to the post in the docs 08:25 < edeca> Can I tell openvpn to remove the current DNS entries from windows when the client connects? 08:26 < ecrist> I don't know that you can have them removed, but you can 'push' alternate DNS servers in your server config 08:26 < ecrist> it's discussed in the how to. 08:29 < edeca> I've pushed them, but of course it has 3 08:29 < edeca> So it uses any of the 3 (my pushed 1 and the default 2) 08:30 < ecrist> if you check ipconfig /all on the windows machine, do you see all three listed? 08:30 < edeca> One second, just rebooted it :) 08:30 < edeca> Silly windows gremlins 08:31 < ecrist> also, is your server config using push "dhcp-option DNS 1.2.3.4" or some such? 08:34 < edeca> Yes 08:34 < edeca> However, it seems to work now 08:34 < edeca> (after a reboot!) 08:36 < Edward123> ok chaps, ecrist and cpm, downgrading didn't fix the error 08:37 < ecrist> Edward123: what's the error in the OpenVPN logs? 08:37 < Edward123> lemme pastebin the whole thing and highlight the error 08:39 < ecrist> kk 08:39 < Edward123> http://pastebin.com/d4d3beb20 08:39 < Edward123> i've done tons-a-google but not found anything i could use 08:41 < Edward123> and this is a new tap adapter - i uninstalled the old openvpn and reinstalled the old version which removed/re-created the device 08:41 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has joined ##openvpn 08:42 < Edward123> so i changed the name (to tap-bridge) and added it back to the bridge 08:47 < ecrist> Edward123: on the client, try adding route-method exe and route-delay 2 to the config 08:49 < ecrist> if route-delay 2 doesn't work, try route-delay 10 08:54 < Edward123> ok ecrist, i'll try that now 08:57 < Edward123> p.s. ecrist, does that mean you think the warning on the server is a red herring? 08:57 < ecrist> Edward123: yes 08:57 < ecrist> everything from the goog seems to indicate so. 08:58 -!- tobias|home [n=tobias@f049002177.adsl.alicedsl.de] has joined ##openvpn 08:58 < tobias|home> hi 08:59 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has quit [Operation timed out] 08:59 < Edward123> hmm OK 08:59 < Edward123> still testing 09:02 < Edward123> the server log just isn't showing even a connection attempt from any of the clients 09:02 < Edward123> trying with 10 09:06 < ecrist> Edward123: if you're not seeing a connection attempt, you've got other problems 09:06 < ecrist> like, windows firewall, maybe? 09:07 < tobias|home> when i start openvpn i become automaticly a dns server, but is it possible to forbid it? 09:17 < Edward123> hmm no windows firewalls enabled anywhere ecrist 09:17 < Edward123> but 'cos it's UDP i can't diagnose it with telnet... 09:18 < Edward123> i guess i need netcat? 09:18 < Edward123> don't suppose you know if anything is built into windows i can use just to find out if a UDP port is opening and answering? 09:19 < ecrist> Edward123: netstat from the terminal should show you 09:33 < Edward123> well the server is showing this: UDP 0.0.0.0:1194 *:* 09:33 < Edward123> so it's defo. binding OK on the server 09:40 < ecrist> if you're not seeing connection attempts, the client machines aren't getting trhough 09:44 < Edward123> ffs today is less than a walk in the park 09:44 < Edward123> this is just one of several problems 09:53 -!- kpoman [n=chatzill@200.181.12.180] has joined ##openvpn 09:53 < kpoman> hi to all ! is there a way to bind openvpn server to a particular interface ? 09:53 < ecrist> hrm, interface, I don't think so, IP address, yes. 09:53 < kpoman> via local statement ? 09:58 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [] 10:09 < Edward123> ecrist, the clients don't have firewalling turned on and no settings have been changed on either of their routers so i think i need to further diagnose connection issues 10:10 < ecrist> ok 10:10 < Edward123> when i run 'netstat -a' on the client whilst starting the service i don't see 1194 anywhere 10:10 < Edward123> but windows firewall is turned off soooo... i'm a bit lost 10:10 < ecrist> as I said, if you show OpenVPN listening, but you're not getting any connection information in the logs, you've probably got lower level issues. 10:11 < ecrist> is there anything in the client log fies 10:11 < ecrist> files* 10:11 < Edward123> one of the clients has started saying: Tue Aug 05 16:10:53 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 10:11 < Edward123> which i'm currently googling 10:18 -!- kpoman [n=chatzill@200.181.12.180] has quit [Read error: 104 (Connection reset by peer)] 10:22 < Edward123> my current best guess is that the router (server end) isn't forwarding properly 10:23 < ecrist> forwarding implies NAT 10:25 < Edward123> ecrist... yes? 10:25 < Edward123> again i hasten to add this was all working yesterday 10:26 < ecrist> you're running nat 10:26 < Edward123> i'm running NAT but i've configured port forwarding on the router for the required UDP port... and it WAS all working prior to today 10:26 < ecrist> Edward123: something is broken. Next you're going to tell me the 'server' is getting it's IP via DHCP. 10:27 < cpm> heh 10:28 < Edward123> ecrist, yes something is broken 10:29 < ecrist> when you have your clients at least showing up in the server logs, get back to us. Until then, it's not an openvpn problem. 10:29 < Edward123> but no the server isn't getting it's IP via dhcp 10:29 < Edward123> yeah i agree 10:33 -!- dasunt [n=nobody@unaffiliated/dasunt] has joined ##openvpn 10:33 -!- tobias|home [n=tobias@f049002177.adsl.alicedsl.de] has left ##openvpn [] 10:44 < Edward123> man i'm about to drop kick this router out of the window 10:46 < cpm> you are blaming the router? 10:46 * cpm chuckles 10:46 < Edward123> well yeah 10:46 < Edward123> i think i've discovered why it suddenly stopped working: it took external connections to be some kind of attack 10:47 < Edward123> and therefore blocked them 10:47 < Edward123> for debugging i've disabled all these rules but yet it does not work 10:47 < dasunt> I want to run OpenVPN on a BSD machine, with a FreeRADIUS user/pass authentication on a Linux machine, and connect with windows clients. 10:47 < dasunt> Using (AFAICT) pam_radius on the BSD machine. 10:47 < dasunt> This *is* possible, right? 10:48 < cpm> no earthly clue. 10:48 < dasunt> It looks like the default tutorials tend to talk about preshared keys, instead of username/passwords for the OpenVPN clients. 10:49 < cpm> yeah, easier to do cert pairs that way. This is openssl 10:49 < cpm> how you would do certificate against radius, I have no idea, at all. No doubt it's doable., but I don't have the mental capacity to even imagine how. 10:54 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: Edward123, vlt, tcccp, justdave, dasunt, kraut, BoomSie, SilenceGold, DaPrivateer, edeca, (+4 more, use /NETSPLIT to show all of them) 11:02 -!- Netsplit over, joins: DaPrivateer, cpm, justdave, mikkel, vlt 11:02 -!- chesty [n=chesty@chesterton.id.au] has joined ##openvpn 11:02 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has joined ##openvpn 11:02 -!- Netsplit over, joins: dasunt, BoomSie 11:02 -!- rob0 [n=rob0@tuxaloosa.org] has joined ##openvpn 11:02 -!- Netsplit over, joins: edeca, krzee, bandini, Edward123, SilenceGold, tcccp, kraut 11:02 -!- justdave [n=dave@unaffiliated/justdave] has quit [Connection reset by peer] 11:02 -!- vlt [n=dm@suez.activ-job.com] has quit [Connection reset by peer] 11:04 -!- Alex [i=hauntedu@goatse.co.uk] has joined ##openvpn 11:04 -!- Edward123 [n=edward@host81-149-214-135.in-addr.btopenworld.com] has quit [Read error: 113 (No route to host)] 11:07 < rob0> hmmm there they are; when I joined it was only 2 others! 11:14 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:32 < cpm> there is no one here. 11:49 < ecrist> rob0: netsplit 11:49 -!- Irssi: ##openvpn: Total of 18 nicks [0 ops, 0 halfops, 0 voices, 18 normal] 11:51 * cpm splits rob0 11:52 < cpm> now 2x rob.5 11:52 < cpm> now 2x rob1- and rob1 rather 13:11 -!- int [n=quassel@wikia/int] has joined ##openvpn 13:16 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:57 < krzee> hrm 13:57 < krzee> ecrist, should we make a mail-list bot for here? 13:58 < krzee> like we use in some other channels, ie: 13:58 < krzee> [13:10] New on the ForumFeed: Re: Intel iwlwifi drivers with injection * WORKING with 3945 & 4965 cards * 14:05 < ecrist> krzee: I don't know if that's necessary at this point. 14:06 < ecrist> if you want to work on one and test it for a few days, I'm cool with that. 14:06 < krzee> right on ill bust something out next time i get bored enough 14:10 -!- dasunt [n=nobody@unaffiliated/dasunt] has left ##openvpn [] 14:26 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 14:39 -!- slango [n=slango@unaffiliated/iamethos] has joined ##openvpn 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 < slango> my employer uses open VPN, and for a while, things were working great. Lately though, I have been constantly disconnecting and reconnecting with the message: [server] Inactivity timeout (--ping-restart), restarting 14:41 < slango> it has become so frequent that my connection to the VPN is almost worthless 14:43 < ecrist> sounds like network problems. 14:43 < ecrist> do you connect via satellite, or cellular broadband? 14:45 < slango> ecrist: cable... :-) 14:45 < slango> it's a regular wired connection on my home network 14:46 < ecrist> slango: some cable modems block UDP traffic intermittently. Also, some CATV providers will perceive UDP traffic as p2p and try to throttle it down. 14:46 < slango> I'm not experiencing any obvious problems with my internet connection (not losing my IRC connection, etc) 14:47 < slango> ecrist: so you think that's what this is? 14:47 < slango> the only thing I really do over the VPN for now is connect to the company's IRC server 14:48 < ecrist> slango: OpenVPN, with most setups, tunnels across as UDP traffic. 14:48 < slango> doesn't seem like that would be the amount of traffic the provider would throttle 14:48 < ecrist> i.e. ALL of your VPN traffic will show as UDP. 14:48 < slango> ecrist: right, but there really shouldn't be very much at all 14:49 < slango> hmm 14:49 < slango> well, I guess I'll call comcast and see what the hell their problem is 14:49 < ecrist> I'm not worried about how much, it doesn't matter that you're connected to irc via tcp, it's tunneled through udp. 14:49 < ecrist> good luck. 14:49 < ecrist> you could ask your administrator to switch to tcp vpn. 14:50 < rob0> I have a very stable UDP openvpn using Comcast on one end. 14:50 < ecrist> rob0: so do we, but certain cable modems have problems with udp traffic. 14:51 < ecrist> I've got a few users here at the office on Comcast - some work great, never go down, others get reset about once an hour, it seems. 14:51 < rob0> The cable modem, or the router? I've seen routers which mess up UDP. 14:51 < ecrist> cable modem/router 14:53 < slango> hmm 14:53 < slango> ecrist: to give you an idea of how bad this is: I'm going down once every ten minutes or so 14:54 < slango> I have a WRT310N router from Linksys.... is there anywhere that I can check to determine if that is known to have problems with UDP? 14:55 < ecrist> slango: is that your cable modem? 14:56 < slango> ecrist: that's my router. the cable modem is an Arris TM602G/CT 14:56 < ecrist> check that for UDP filtering. 14:57 < slango> a google search for Arris TM602G comes up with no results 14:58 < slango> *Arris TM602G UDP 14:59 < ecrist> ok, so run wireshark and look at the packets around the failure. 14:59 < ecrist> see if there are a lot of retransmissions, etc. 15:05 < rob0> Talk to your vendor about the features of your router, or test it yourself. 15:05 < rob0> I never have problems like that; I use Linux machines. 15:12 < slango> rob0: well, I'm getting the exact same problem on my Linux laptop 15:12 < rob0> Laptop as a router? Or behind some cheap router? 15:13 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 15:13 < pumkinhed> hello #openvpn 15:13 < rob0> I connect Linux to cable/DSL modem. 15:14 < pumkinhed> quick q, we have clients connecting via laptop from their home/hotels/wherever 15:14 < slango> rob0: oh.... no, it's a linksys router, I meant that my laptop workstation is exhibiting the same symptoms as is my OS X workstation 15:14 < slango> s/laptop/linux/ 15:14 < rob0> slango, the point is that the ROUTER is most likely the cause of the problem. 15:14 < pumkinhed> sometimes, when the computer is put to sleep overnight (by closing the lid), and the computer comes back from sleep, it will complain that it cannot connect to our network 15:15 < slango> rob0: don't capitalize at me. I get that. I just misunderstood what you meant when you said "I use Linux machines." 15:15 < pumkinhed> upon closer inspection, it seems the push "route ip mask" command is failing. 15:16 < pumkinhed> the error message in openvpn logs seems to indicate that the ip address assigned to the TUN has changed since the lid was closed, and the route command fails 15:17 < pumkinhed> which makes sense, but why is openvpn calling the push "route" command, before changing the address of the TUN? 15:18 < ecrist> calm down now, kids. 15:18 < rob0> Ignored. 15:18 * ecrist fetches his beatin' stick. 15:19 < ecrist> pumkinhed: it's a good idea when you put your laptop to sleep to kill your vpn connection and rebuild it. 15:20 * ecrist puts his beatin' stick away and goes home. 15:21 < pumkinhed> ok, a batch file is easy enough to build for end-users, but i've never had this problem before now, and i've been using openvpn for years 15:22 < ecrist> pumkinhed: I'm guessing it's a windows-specific problem, probably with a recent update. 15:22 < pumkinhed> ah i am going to try and dig up the error log from a client bbiab 15:22 < ecrist> l8r 15:37 -!- slango [n=slango@unaffiliated/iamethos] has quit [Nick collision from services.] 15:40 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 15:40 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 104 (Connection reset by peer)] 15:46 -!- Breetai [n=Breetai@mx.northriverboats.com] has joined ##openvpn 15:47 < Breetai> Hi all, I am getting messages showing up on my root console. Any way to stop that? 15:49 -!- edeca [n=david@emo.two-pebbles.com] has quit ["leaving"] 16:06 < rob0> root console? Maybe just learn about how your shell does redirection, and/or see --daemon in the man page. 16:06 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 16:07 < Breetai> hmmmm, I will need to look, it is started from an /etc/init.d/openvpn script. I presumed it is run as a daemon 16:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:39 -!- klugefoo| [n=klugefoo@c-76-126-54-37.hsd1.ca.comcast.net] has joined ##openvpn 17:05 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:15 -!- Breetai [n=Breetai@mx.northriverboats.com] has quit ["Leaving"] 17:20 -!- klugefoo| [n=klugefoo@c-76-126-54-37.hsd1.ca.comcast.net] has left ##openvpn [] 18:10 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 18:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:47 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:11 < ecrist> evening, kids 19:25 < tcccp> hiho 19:30 -!- Irssi: ##openvpn: Total of 20 nicks [0 ops, 0 halfops, 0 voices, 20 normal] 19:32 < ecrist> I think his problem had to do how syslog was configured 21:49 -!- _aia_ [n=_aia_@unaffiliated/aia] has joined ##openvpn 22:10 -!- znoG_ [n=gs@host145.190-31-233.telecom.net.ar] has joined ##openvpn 22:10 < znoG_> hey all 22:11 < znoG_> I'm trying to setup OpenVPN in ethernet bridging mode .. I got the tunnel established, my client tap0 interface configured, the server side has a br0 interface with an IP and the eth1 (LAN nic) and tap0 bridged. 22:11 < ecrist> ok... 22:11 < znoG_> When I ping the server's bridge IP address on the client side, I get destination host unreachable.. and a tcpdump on the server on the tap0 interface reveals nothing at all. 22:12 < znoG_> I'm not sure where to go from here 22:13 < ecrist> how do you know you're connected to the VPN? 22:14 < znoG_> on the client side, it shows the normal "establishing connection" messages and ends with "Wed Aug 6 00:08:50 2008 Initialization Sequence Completed 22:15 < znoG_> and the IP is assigned to tap0 on the client side from the pool 22:15 < ecrist> ok, that's good to know 22:15 < znoG_> just to double check: tap0 on the server has no IP address (0.0.0.0) .. and my server-bridge line looks like this: 22:15 < ecrist> did you set up your bridge? 22:16 < znoG_> server-bridge 10.0.2.1 255.255.255.0 10.0.2.220 10.0.2.240 22:16 < znoG_> yep 22:16 < znoG_> bridge is setup .. and it is currently bridging eth1 (LAN) and tap0 .. with IP: 10.0.2.1 22:16 < ecrist> no, I mean, there's a script you need to run to build br0, and actually bridge the interfaces on the server. 22:16 < znoG_> yep got that setup 22:17 < ecrist> br0, iirc, is supposed to be part of the bridge. 22:17 < znoG_> i modified /etc/init.d/openvpn to run /etc/openvpn/bridge-start (on start) and bridge-stop (on stop) 22:17 < ecrist> ok 22:18 < ecrist> and, is there a firewall between the LAN and the VPN? 22:18 < znoG_> the only firewall is on the server itself and I've allowed openvpn traffic 22:19 < znoG_> even if it was blocking it, it should still show on tcpdump right? 22:19 < znoG_> actually if I do a tcpdump on br0 22:19 < znoG_> i can see 10.0.2.220 constantly doing a arp who-has 22:20 < znoG_> of the IP I'm trying to ping 22:20 < znoG_> and no reply by the look of it 22:20 < ecrist> :) 22:20 < ecrist> you have firewall problems. 22:26 < znoG_> you may well be right :) time to dig in 22:26 < znoG_> thanks ecrist for the hand 22:27 < ecrist> no problem. 22:36 < znoG_> ecrist: apart from letting in/out port 1194, I'm not sure what else I need to do for the traffic to be allowed through. 22:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:21 < znoG_> ecrist: it turned out to be an interface problem ... tap0 was already created (by some other program) so openvpn was creating tap1. Changed it to 'dev tap1' in the conf and all is well now. 23:21 < znoG_> Thanks! 23:21 -!- znoG_ [n=gs@host145.190-31-233.telecom.net.ar] has left ##openvpn [] --- Day changed Wed Aug 06 2008 00:35 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:32 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 01:32 < kexman> helloo 01:32 < kexman> what happened to the openvpn channel ???? 01:32 < kexman> why so "many" ? 01:39 -!- weedar [n=sikrit@062016224079.customer.alfanett.no] has quit [Connection timed out] 01:58 < kraut> moin 02:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:32 < kexman> hello 02:32 < kexman> so many around :) 02:32 < kexman> 20 :) 02:39 < tcccp> hhr 04:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:36 < kexman> wtf is wrong here ? 04:36 < kexman> something changed ? 04:36 < kexman> openvpn channel moved ? 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:51 < ecrist> kexman: what's up? 06:51 -!- Irssi: ##openvpn: Total of 22 nicks [0 ops, 0 halfops, 0 voices, 22 normal] 06:59 < ecrist> morning, cpm 07:12 < cpm> good morning 07:20 < kexman> ecrist: well last time i was here this channel was more populated 07:20 < kexman> what happened ? 07:21 < ecrist> don't know 07:21 < ecrist> it got moved here about a week ago 07:22 < ecrist> what would you say the original population was/ 07:22 < ecrist> ? 07:28 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Remote closed the connection] 07:30 < ecrist> if there are normally more, I'm sure they'll find their way here in time. 07:46 < kexman> hmm 07:46 < kexman> wait what do you mean here ? 07:46 < kexman> where did you come from ? 07:47 < kexman> wasnt this #openvpn ? 07:47 < ecrist> yes, it was. 07:47 < kexman> i now joined and i got into ##openvpn 07:47 < ecrist> it's called channel forwarding. 07:47 < kexman> yes but why ? 07:47 < kexman> so where are the other that need to find theire way here ? 07:47 < kexman> *their* 07:47 < ecrist> read up on channel forwarding on freenode.net website. 07:48 < ecrist> kexman: I don't know who you think is missing. Every time I've joined #openvpn, there's been ~20 users. 07:48 < ecrist> regardless, it's not a big deal. 07:58 < kexman> hmm 07:58 < kexman> i tought there where more people :) 07:58 < kexman> uhh :) maybe im confusing openvpn with openwrt :)) 07:58 < kexman> lol 07:58 < kexman> sorry 07:58 < kexman> im hungry :)) 07:58 < cpm> cookies? 08:00 < ecrist> I'm hungry. Cookies sound good. 08:09 < cpm> mmmm, cookies 08:24 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 08:24 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 104 (Connection reset by peer)] 08:37 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 08:57 -!- Snow- [n=snow@silver.teardrop.org] has joined ##openvpn 08:59 -!- Lin [n=igormorg@unaffiliated/lincity] has quit ["Ex-Chat"] 09:34 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: bandini, mikkel, kexman 09:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:39 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 09:39 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 10:33 < Snow-> Anyone ever seen an issue where using UDP as a transport, large packets (>=1500) don't make it through an OpenVPN tunnel? 10:34 < Snow-> Doesn't seem to be a 100% of the time thing, dependant on other factors. 10:34 < rob0> I idled about 3-4 days in #openvpn after the forwarding and gag order was done. There were only a few folks left, and obviously, no discussion there. 10:34 < Snow-> I blew a bunch of time trying to find an PMTU problem and then switched to TCP, ind it magically worked. 10:34 < Snow-> Forwarding and gag order? 10:35 < cpm> what was with that? 10:35 < rob0> #openvpn forwards to ##openvpn and is mode +q or whatever. 10:35 < cpm> Snow-, sounds like an MTU path discovery issue 10:36 < Snow-> cpm: That's what I thought, but ICMP (all types) are wholly unfiltered between the two locations. 10:36 < ecrist> cpm: there were some ass-clowns in the chan and there was no way to moderate. 10:36 < ecrist> so we fixed it. 10:36 < ecrist> :) 10:36 < rob0> I gather that someone was making a fuss that day ... yeah 10:36 < Snow-> Weirdly, there was a brief moment where it worked without any configuration changes at all. 10:36 < cpm> ecrist, ass-clowns? Like me? 10:36 < ecrist> cpm, no 10:36 < rob0> It WAS you. 10:36 < ecrist> ? 10:36 * cpm pouts. 10:36 < Snow-> I think it's an issue with long fast pipes, but I'm not sure... 10:37 < cpm> what happened to whuzzizname? 10:37 < Snow-> Anyway, switching to TCP as a transport seems to have solved the problem quite conclusively. 10:37 < ecrist> cpm, pm? 10:37 < rob0> He got kicked in the whachamacallit. 10:37 < cpm> ecrist, sure. 11:11 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 11:23 -!- Deecodeuh [n=kaminski@209.83.2.36] has joined ##openvpn 11:25 < Deecodeuh> I'm trying to set up a vpn client connection, but the documentation is so difficult... I'm in linux, and it's so simple in windows. How can I simply just connect to a vpn network? 11:25 < Deecodeuh> Or is it not simple? 11:27 < Deecodeuh> Can anyone answer...? 11:31 < SilenceGold> Deecodeuh what are you using to connect as a client in windows? 11:31 < cpm> routed vpn? or bridge? 11:32 < Deecodeuh> I'm using the wizard that comes standard with vista. I need to connect to a samba share over vpn. 11:33 < SilenceGold> oh 11:33 < SilenceGold> that's windows' PPTP 11:33 < SilenceGold> it's incompatiable with openvpn 11:33 < SilenceGold> openvpn comes with its own server or client 11:34 < SilenceGold> you have to use openvpn client to work with openvpn server that uses SSL...not PPTP or IPSEC VPN types 11:38 < Deecodeuh> Does anyone know what a pcf file is? 11:38 < Deecodeuh> Is that a vpn setting file for windows? 11:38 < Deecodeuh> maybe... 11:39 < cpm> has to do with cisco's vpn client I think 11:39 < Deecodeuh> ah, thanks. 11:40 < cpm> again, nothing at all to do with openvpn. 11:40 < cpm> Who runs this server to which you would like to connect? 11:40 < Deecodeuh> I think it's a branch off of aflac. 11:40 < Deecodeuh> And my mom needs it to run for her work. 11:41 < Deecodeuh> Not that that helps 11:42 < cpm> I recommend that you contact the administrator of server running the vpn to which you would like to connect. 11:43 < Deecodeuh> The problem is that he knew nothing about linux... 11:48 < ecrist> Deecodeuh: is he running an OpenVPN server, Cisco VPN, or PPTP VPN? 11:49 < Deecodeuh> Probably pptp 11:49 < Deecodeuh> You can just call me Coda... it's easier to type... 11:51 < ecrist> Deecodeuh: tab-completion makes almost any name trivial to type. :) 11:51 < ecrist> why would you say PPTP? 11:52 < Deecodeuh> tab-completion... wow, I had no idea that shortcut was there... that's cool. 11:52 < Deecodeuh> Isn't that the only type of server that the windows wizard can connect to? 11:53 < ecrist> hrm, I can't remember for sure, but I thought it also supported ipsec. 11:54 < Deecodeuh> you're right, I see it on the options in the settings. 11:54 < Deecodeuh> PPTP VPN, and L2TP IPsec VPN 11:54 < ecrist> ;) 11:54 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 11:55 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit ["Happy Hacking !"] 11:56 < Deecodeuh> There's a setting caled VPN Gateway... would I set that to be the ip address of the server. 11:56 < SilenceGold> no 11:56 < SilenceGold> that's the router at the remote network that you would want your workstation's network to be routed to 11:56 < SilenceGold> you have few options.. 11:57 < SilenceGold> get your PPTP client working with the remote VPN server that is running a PPTP VPN type server 11:57 < SilenceGold> or install OpenVPN server at the site then install OpenVPN client locally 11:58 < ecrist> SilenceGold: I doubt he has the authority to install a new vpn server at AFLAC. 12:09 -!- n3kl [n=n3kl@c-24-8-165-101.hsd1.co.comcast.net] has joined ##openvpn 12:09 < n3kl> Hi. Anyone heard of openvpn running in a xen vm? 12:09 < ecrist> don't know why it couldn't 12:10 < ecrist> as long as it's got the ability to build virtual interfaces. 12:10 < SilenceGold> *use virtual interfaces 12:11 < Deecodeuh> Thanks for the help. I'll figure it out eventually. 12:11 < ecrist> SilenceGold: it builds virtual interfaces for routed vpn 12:11 -!- Deecodeuh [n=kaminski@209.83.2.36] has left ##openvpn [] 12:11 < SilenceGold> well, I thought you were meaning "it" as the instance 12:20 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 12:32 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 12:32 < thrope> hello - does anyone know about setting up openvpn with rsa securid keyfobs 12:32 < thrope> or if there are any major rsa competitors in the keyfob market 12:32 < ecrist> thrope: there are a few how-to documents out there, and iirc, the openvpn.net howto covers it, briefly. 12:32 < thrope> I understand it can work - but what I wanted to check was whether you could have some users authenticating with a keyfob, but others without 12:32 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 12:34 < ecrist> hrm, that I don't know. You could with two different openvpn instances I think 12:34 < ecrist> unless the backend that support the RSA stuff has the support for selective requirements. 12:34 < ecrist> I think you can do that with LDAP/Kerberos, etc. 12:51 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 12:57 < krzee> thrope, 12:57 < krzee> figure out how to make it work 12:58 < krzee> then put the parts that you use to make it work in ccd entries 12:58 < thrope> ah ok 12:58 < krzee> for the clients who get crypto-keys 12:59 < krzee> i havnt had the pleasure of implimenting crypto-keys, but thats what i recommend 12:59 < krzee> since ccd/ is the only method for selectively changing server config based on the connecting client 12:59 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:05 -!- Lin [n=igormorg@unaffiliated/lincity] has quit ["Ex-Chat"] 13:20 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:22 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:52 -!- highzeth [n=highzeth@hoiseth.no] has joined ##openvpn 13:52 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:53 -!- fozzmoo [n=fozz@209.41.95.5] has joined ##openvpn 13:54 < fozzmoo> I'm struggling trying to get openvpn traffic to go out over a specific interface where I have two providers. 13:54 < fozzmoo> shorewall node is an openvpn client. 13:54 < fozzmoo> (and a server too, but I'll worry about that later) 13:55 < fozzmoo> What do I need to do to ensure all traffic between server and client goes over, say, eth1? 13:55 < fozzmoo> Provider name: dsl 13:57 < ecrist> ok, that's done with routing. 13:57 < ecrist> simply add the appropriate routes to your routing tables and you'll be fine. 13:57 < fozzmoo> Shorewall is balancing traffic across both WAN connections. 13:57 < fozzmoo> That's the monkey wrench 13:58 < ecrist> you can still do this with routing. 13:59 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 14:00 < ecrist> fozzmoo: if you build an OpenVPN connection, that connection has state, which is going to go across the same interface, no matter what. 14:00 < ecrist> unless your config is wonky, in which case, you'll need to re-evaluate your config. 14:00 < fozzmoo> Yeah- that's what I thought too. 14:00 < fozzmoo> I wonder if it would help if I switched from UDP to TCP 14:01 < fozzmoo> TCP is a heck of a lot easier to track. 14:01 < ecrist> that it is 14:02 < ecrist> it gets around a lot of bugs that are present in some CATV networks, too. 14:05 -!- itguru [n=The@5ad30b3b.bb.sky.com] has joined ##openvpn 14:13 < krzee> im always a strong advocate of sticking with UDP whenever humanly possible 14:13 < krzee> tcp over tcp = bad 14:18 -!- itguru [n=The@5ad30b3b.bb.sky.com] has quit [Remote closed the connection] 14:21 -!- xattack [i=root@132.248.108.239] has quit ["Leaving"] 14:23 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 14:26 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:26 -!- linux_manju [n=manju@202.122.23.18] has joined ##openvpn 14:27 < linux_manju> Hi All 14:27 < linux_manju> Is it possible to have UDP broadcasts across the tunnel? 14:31 < linux_manju> I have set it up in route mode.. The UDP broadcasts are not traversing through the tunnel 14:31 < linux_manju> Will bridge mode work in the above scenario? 14:35 < ecrist> it should, yes. 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 < linux_manju> ecrist: Thanks.. Will try that :) 14:53 < thrope> does the windows client work on vista 32 and 64 bit? 15:21 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:22 -!- krzie is now known as krzee 15:27 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 15:38 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 15:39 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Client Quit] 16:07 < linux_manju> I just setup a Bridge config.. 16:08 < linux_manju> The tun0 is getting the correct IP in the client side.. 16:08 < linux_manju> However I am not able to ping the server or anything behind it and vice versa 16:09 < linux_manju> any idea what would have gone wrong 16:09 < linux_manju> tcpdump while pinging does not reveal anything on both client and server side 16:09 < SilenceGold> firewall? 16:09 < krzee> you are bridging but using tun? 16:09 < SilenceGold> oh yea 16:09 < linux_manju> SilenceGold: Nope.. disabled that 16:09 < SilenceGold> should be using tap0 for bridge 16:09 < linux_manju> krzee: Sorry 16:09 < SilenceGold> otherwise, tun0 is router 16:09 < linux_manju> Its tap0 16:09 < krzee> routed = tun, bridge=tap 16:09 < SilenceGold> okay 16:09 < krzee> oh ok 16:10 < SilenceGold> you might not be pushing out a new route for the clients 16:10 < linux_manju> krzee: Yes.. I know.. thanks.. 16:10 < linux_manju> SilenceGold: In bridge is it not transparent.. 16:10 < linux_manju> Why do I need to push a route 16:10 < SilenceGold> hrm 16:10 < linux_manju> However .. route -n shows the route for my VPN network through tap0 16:11 < SilenceGold> how did your client get an IP? 16:11 < SilenceGold> thru DHCP or you set it up as as static setting? 16:11 < linux_manju> After getting connected.. I specified a parameter in the OpenVPN server-bridge 192.170.30.1 255.255.255.0 192.170.30.20 192.170.30.40 16:11 < linux_manju> The client got 30.21 and 22 16:12 < SilenceGold> I'm not an expert but you can pastebin the two configs..both the server and client configs 16:13 < krzee> also make sure verb is at 5 or 6 and look for any errors 16:13 < krzee> (on client and server) 16:13 < krzee> also, is there a reason you want to bridge? 16:14 < krzee> most often the bridge setups i see people try for should actually be routed 16:14 < krzee> but there are occasions where bridge is necessary 16:14 < krzee> ie: SMB shares, gaming 16:16 < linux_manju> krzee: Sorry.. was busy pasting it in the bin 16:17 < linux_manju> krzee: YEs.. I want UDP broadcasts to traverse through 16:17 < krzee> np, im here for awhile 16:17 < krzee> interesting, for my personal knowledge what do you use with udp broadcasts, if you dont mind my asking 16:17 < linux_manju> http://pastebin.com/m3bb6369d 16:17 < linux_manju> Server config 16:18 < linux_manju> http://pastebin.com/m771f5cdd 16:19 < linux_manju> client 16:19 < linux_manju> krzee: UDP broadcasts for an Application testing.. 16:19 < linux_manju> krzee: I cant reveal the application name and usage beacause of a corp policy.. sorry 16:20 < krzee> which of the examples does your goal meet? 16:20 < krzee> http://www.cisco.com/en/US/docs/internetworking/case/studies/cs006.html 16:20 < krzee> all ones, network, subnet? 16:21 < linux_manju> 1st one is the closest.. 16:21 < krzee> seems to me that as long as its not data link layer, routed would be able to handle it (assuming nothing is blocking it) 16:21 < linux_manju> krzee: Tried that in routed mode.. 16:21 < krzee> but i guess after you get it up in bridge mode you'll see if thats tru or not 16:22 < linux_manju> Rest was able to work perfectly fine.. 16:22 < linux_manju> excpet UDP broadcasts.. 16:22 < linux_manju> Now.. in bridge mode nothing goes through 16:22 < linux_manju> :( 16:23 < linux_manju> Any idea? 16:24 < krzee> just getting to look 16:24 < krzee> can i see routing tables for both machines too? 16:25 < linux_manju> Sure 16:25 < krzee> btw verb 3 is no good for troubleshooting 16:25 < linux_manju> Will paste the specific ones here 16:25 < krzee> raise it to 6 16:25 < krzee> you might see errors that help you figure out wassup 16:25 < linux_manju> geekbox ~ # route -n | grep -i 192.170 16:25 < linux_manju> 192.170.30.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 16:25 < linux_manju> Client 16:25 < linux_manju> Server 16:26 < linux_manju> root@DMZA:~# route -n | grep -i 192.170 16:26 < linux_manju> 192.170.30.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 16:28 < krzee> these setups are confusing enough without hiding the rest of the routing table and who is where 16:28 < krzee> i cant garuntee an answer with the complete routing table, but it raises your chances 16:28 < krzee> also, are you sure you want "duplicate-cn" 16:29 < krzee> i would remove that and only allow each cert to be connected once at a time 16:30 < linux_manju> krzee: Yes.. to start with 16:30 < linux_manju> krzee: I dont think duplicate-cn would make this happen... 16:30 < krzee> ahh ok, so you will remove that and add the tls-auth when you are done... gotchya 16:30 < linux_manju> However I can eliminate the same 16:30 < krzee> no, you are right about that 16:30 < krzee> it is not the problem 16:31 < krzee> just something i noticed while reading the configs 16:31 < linux_manju> krzee: Routing table is perfectly fine.. trust me.. 16:32 < linux_manju> 1: 192.170.30.21 (192.170.30.21) 0.117ms pmtu 1500 16:32 < linux_manju> 1: 192.170.30.21 (192.170.30.21) 684.726ms !H 16:32 < linux_manju> Is the tracepath output from the client 16:33 < linux_manju> Mon Aug 4 05:33:01 2008 us=659582 DMZA/202.122.23.18:43115 UDPv4 READ [77] from 202.122.23.18:43115: P_DATA_V1 kid=0 DATA len=76 16:33 < linux_manju> Mon Aug 4 05:33:01 2008 us=660027 DMZA/202.122.23.18:43115 TUN WRITE [42] 16:33 < linux_manju> Is what I get 16:33 < linux_manju> if I run it in verb 6 16:33 < linux_manju> while pinging 16:33 < linux_manju> from the client 16:34 < krzee> ok so it is going through the client 16:34 < linux_manju> YEs 16:34 < krzee> does server do the same? 16:34 < krzee> while client is pinging 16:34 < linux_manju> Let me try.. one sec 16:36 < krzee> its been a long time since i used a bridge setup 16:36 < krzee> more pitfalls in it, but ill try to help 16:36 < linux_manju> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 16:36 < linux_manju> In the server... 16:37 < linux_manju> I am prettu sure that the firewall is disabled 16:38 < krzee> if it was firewall openvpn wouldnt report it as refused 16:38 < krzee> it would happpen independant of ovpn in the OS 16:39 < linux_manju> Yes 16:39 < linux_manju> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/1/5495.html 16:39 < linux_manju> Clarifies that. Safely ignore 16:40 < linux_manju> If I ping from server to client.. same message in the client as well.. 16:40 < linux_manju> UDPv4 WRITE [53 16:40 < linux_manju> UDPv4 READ [53] 16:42 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 16:42 < linux_manju> Weird.. 16:43 < linux_manju> atleast tcpdump should show some output 16:45 * linux_manju kicks himself and goes out for a beer 16:45 -!- Valect [n=aaron@71.39.93.58] has joined ##openvpn 16:49 < Valect> http://pastebin.ca/1094189 16:49 < Valect> any ideas as to why that's happening 16:49 < Valect> ? 16:55 < krzee> what OS's? 17:01 < Valect> pfsense/freebsd 17:02 < Valect> and windows 17:02 < Valect> xp 17:02 < krzee> nice 17:02 < krzee> make sure all times are correct 17:02 < krzee> ntpdate time.nist.gov 17:02 < krzee> especially on the box you made certs on 17:02 < Valect> as far as i can tell they are 17:02 < krzee> run that command on each 17:03 < krzee> ive seen people think they were correct but timezones were off making them think all was good when it wasnt 17:03 < Valect> $ date 17:03 < Valect> Wed Aug 6 15:02:56 PDT 2008 17:03 < krzee> ok, that ones right 17:03 < Valect> client machine is 15:03:40 pdt 17:04 < krzee> you made the certs on one of those boes? 17:04 < krzee> boxes 17:04 < Valect> on the pfsense box 17:04 < krzee> k 17:05 < krzee> pastebin both configs? 17:06 < Valect> if i can find the openvpn server config sure, but it's all over a webui so give me a couple minutes 17:06 < Valect> here's the client 17:06 < Valect> http://pastebin.ca/1094205 17:07 < krzee> once its working, you may want to add tls-auth 17:08 < krzee> but thats not part of the problem (unless your server is using it) 17:08 < Valect> there is a server1 and server0.conf -_- thanks pfsense 17:08 < krzee> welp, figure out which is being used 17:09 < Valect> yea 17:09 < krzee> timestamps can prolly tell you 17:09 < krzee> (change it over web, look for updated timestamp) 17:10 < Valect> http://pastebin.ca/1094211 17:11 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [] 17:13 < krzee> ahh 17:13 < Valect> oh? 17:13 < krzee> you change the cipher in server but not in client 17:13 < Valect> i see 17:14 < Valect> so just put "cipher AES-256-CBC" in the client config? 17:14 < krzee> i believe server / client must agree on that 17:14 < krzee> ya 17:14 < Valect> didn't work 17:14 < krzee> # Select a cryptographic cipher. 17:14 < krzee> # This config item must be copied to 17:14 < krzee> # the client config file as well. 17:15 < Valect> same errors 17:16 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:16 < krzee> after stopping the server and starting it again? 17:16 < Valect> what do i need to change in the server config? 17:17 < krzee> oh right 17:17 < Valect> heh. 17:17 < krzee> after stopping the client and starting it again? 17:17 < Valect> -. 17:17 < krzee> hehe 17:17 < Valect> yea 17:18 < Valect> and in the openvpn log i see: 17:18 < Valect> Aug 6 15:17:26 openvpn[24596]: 192.168.1.131:3414 LZO compression initialized 17:18 < Valect> Aug 6 15:17:26 openvpn[24596]: 192.168.1.131:3414 Re-using SSL/TLS context 17:18 < Valect> Aug 6 15:17:12 openvpn[24596]: Initialization Sequence Completed 17:20 < krzee> Aug 6 15:17:12 openvpn[24596]: Initialization Sequence Completed 17:20 < krzee> looks like you're connected... 17:20 < Valect> the client is still spitting that error though 17:21 < Valect> Wed Aug 06 14:40:43 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 17:21 < Valect> Wed Aug 06 14:40:43 2008 TLS Error: TLS object -> incoming plaintext read error 17:21 < Valect> Wed Aug 06 14:40:43 2008 TLS Error: TLS handshake failed 17:21 < Valect> Wed Aug 06 14:40:43 2008 TCP/UDP: Closing socket 17:22 < krzee> you sure you built with build-key-server ? 17:22 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 17:22 < krzee> fr now comment the ns-cert-type server line from client config 17:23 < krzee> if it then connects without that error, regenerate your certs 17:23 < Valect> still errors 17:23 < Valect> and yes, i built with build-key-server 17:24 < krzee> umm 17:24 < krzee> so you're saying the server says Initialization Sequence Completed 17:24 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Client Quit] 17:24 < krzee> but the client says TCP/UDP: Closing socket 17:24 < krzee> ? 17:24 < Valect> now it's saying 17:24 < Valect> Aug 6 15:24:05 openvpn[24596]: 192.168.1.131:3474 TLS Error: TLS handshake failed 17:24 < Valect> Aug 6 15:24:05 openvpn[24596]: 192.168.1.131:3474 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 17:24 < krzee> stop both 17:24 < krzee> then start the server with verb 6 17:25 < krzee> then start the cliednt with verb 6 17:25 < krzee> 3474? i see you using 1194 17:25 < Valect> that's the remote port 17:27 < Valect> here's the server log 17:27 < Valect> http://pastebin.ca/1094228 17:27 < Valect> client log 17:27 < Valect> http://pastebin.ca/1094229 17:28 < krzee> try commenting out your extra scripts and whatnot 17:28 < krzee> then introduce them 1 at a time to find out where it breaks 17:28 < Valect> i don't have any extra scripts O.o 17:28 < krzee> this time it looks like it may have happened at: 17:28 < krzee> Aug 6 15:25:03 openvpn[24596]: /etc/rc.filter_configure tun0 1500 1558 10.0.123.1 10.0.123.2 init 17:29 < Valect> oh 17:29 * Valect kicks pfsense 17:29 < Valect> but 17:29 < Valect> why would that cause an issue with the tls stuff? 17:30 < krzee> Aug 6 15:25:03 openvpn[24596]: event_wait : Interrupted system call (code=4) not sure its the problem 17:30 < krzee> just see that the server errors right after that 17:30 < krzee> now i see the client giving that tls error too 17:31 < Valect> that was the server killing the previous instance 17:31 < krzee> could be a corrupted cert too 17:31 < Valect> i just generated these certs 17:33 < krzee> that garuntees no problem with them? 17:33 < krzee> also, you said you generated them using pfsense, did you do it with the web based thing? 17:34 < Valect> no, but i don't see where or how they could have become corrupted 17:34 < Valect> no 17:34 < Valect> oh 17:34 < Valect> wait 17:34 < Valect> damn it 17:34 < Valect> i did make the certs on a different machine 17:35 < krzee> you did it according to these directions: http://openvpn.net/index.php/documentation/howto.html#pki 17:35 < Valect> yea 17:35 < krzee> and if its done on another machine, make sure its time is correct 17:35 < Valect> [root@fileserver ~/easy-rsa/KEYS]# date 17:35 < Valect> Wed Aug 6 15:34:01 PDT 2008 17:35 < krzee> the same error you have ive seen fixed by updating times, and regenerating certs 17:36 < Valect> the time on this machine is correct because our samba stuff freaks out if it isn't 17:38 < krzee> try commenting out the cipher line on both configs 17:39 < krzee> is pfsense client or server? 17:39 < Valect> server 17:41 < Valect> you have no idea how difficult it is to manipulate pfsense through it's webui command interpreter 17:41 < Valect> (ssh isn't working either, hooray) 17:41 < krzee> heh 17:41 < krzee> tru i do have no idea 17:41 < krzee> pfsense is modified fbsd, i just stick with fbsd 17:41 < krzee> with no gui 17:41 < Valect> my conf editor has become unwieldy combinations of sed, awk, and grep 17:41 < krzee> haha 17:42 < Valect> yea same here, 'cept this system was already in place when i was employed 17:42 < krzee> ahh work box 17:42 < krzee> understood 17:42 < krzee> heh, fun 17:42 < Valect> :p 17:43 < Valect> no error from the client 17:43 < krzee> after removing cipher? 17:43 < Valect> yea 17:43 < krzee> ahh 17:43 < Valect> nothing from the server 17:43 < krzee> then 1 of the boxes openssl used when comiling openvpn didnt have that cip[her 17:44 < krzee> can either recompile openvpn after updating openssl, or weaken the used cipher 17:44 < Valect> ah 17:44 < Valect> i'm going to have to test this from a remote location later anyway, it's doing something else entirely 17:45 < krzee> both machines are on the same lan? 17:45 < Valect> oh i'm getting the tls error again 17:45 < Valect> yea heh :x 17:45 < krzee> heh 17:45 < krzee> thats a problem 17:45 < krzee> (routers in between?) 17:45 < Valect> i thought as much, however, i would have expected everything to work up until the point i try to use the tunnel 17:45 < Valect> no 17:45 < krzee> ya, problemo 17:46 < Valect> wouldn't it still connect though? 17:46 < krzee> possibly 17:46 < Valect> heh 17:46 < krzee> i know it wont work, dunno how far it would get 17:47 < krzee> i guess for the same reason i dont know how fast a broadcast storm would ramp up to taking down a LAN 17:47 < krzee> lol 17:47 < Valect> >:) 17:48 < Valect> bleh 17:48 < Valect> thanks for the help 17:48 < Valect> ill have to poke at this later 17:48 -!- Valect [n=aaron@71.39.93.58] has left ##openvpn [] 17:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:53 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:34 -!- miggyb [n=miggyb@cpe-069-134-035-139.nc.res.rr.com] has joined ##openvpn 18:36 < miggyb> hello. i was wondering if i needed to make a vpn if my router was also my fileserver. that is, any person outside the network wouldn't have to do network area translation, a simple ssh tunnel would suffice. 18:36 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 18:36 < krzee> i dont fully understand the question 18:37 < ecrist> miggyb: can you rephrase? 18:38 < miggyb> krzee: it's not two separate networks that need to be joined together. i have a LAN where the router connecting me to the internet is also my fileserver. if i was outside the network and needed to access some files, i wouldn't have to connect to any computers in the LAN, just the router itself, right? i could just use the external ip instead of the internal one. 18:39 < krzee> ecrist, im starting to look into that bot now, gunna have it use !learn to learn !commands for common things, like !nat would give our common links for NAT stuff, !firewall, etc etc 18:39 < ecrist> ok - just don't build an annoying bot. 18:39 < krzee> that is correct 18:40 < krzee> ecrist, we use the same bot in #aircrack-ng and #remote-exploit, comes in very handy 18:40 < krzee> and ill be running it for the channel so if its decided that part or all of it is annoying, we'll just kill it 18:40 < ecrist> miggyb: that is correct - although, if it were my network, I'd either 1) tunnel over ssh, or 2) install openvpn and make the fileserver stuff accessible only via the vpn. 18:40 < krzee> (or remove the annoying part) 18:41 < krzee> i agree with ecrist 18:41 < krzee> i personally would make a simple openvpn setup for it 18:41 < krzee> ild be more inclined to only allow sshd over the vpn even 18:41 < miggyb> could i make a ssh tunnel without having to do a full vpn? 18:41 < krzee> yes 18:42 < miggyb> would there be any downsides to this, besides not being able to access every computer in the LAN, etc? 18:42 < krzee> www.ircpimps.org/openvpn.configs 18:42 < krzee> (sample configs from my network, which would work for you) 18:43 < krzee> only reason ild use openvpn as opposed to ssh as the way into the network is cause i trust its security more, but in reality nah both should work fine for you 18:43 < krzee> except... what do you use to serve the files? 18:44 < krzee> SMB, NFS, etc? 18:44 < miggyb> right now i'm just scp-ing them back and forth. but eventually, i'd like to get appletalk working. 18:44 < krzee> ahh, appletalk uses udp iirc, you may not be able to do that over a ssh tunnel 18:45 < miggyb> i read somewhere that it works over vpn, though. 18:45 < krzee> im not 100% on if apletalk will work over ssh tunnel 18:45 < krzee> right, it will work over vpn 18:45 < krzee> ssh tunnel is socks5, not vpn 18:45 < miggyb> ah, i see. so a vpn isn't just a ssh tunnel with NAT? 18:46 < krzee> not at all 18:46 < krzee> in fact a vpn doesnt do nat at all 18:46 < krzee> if you needed nat youd hafta do it at the OS level either way 18:46 < krzee> (but you dont need nat) 18:46 < miggyb> hmm. that's what i get for reading an oversimplified version of how vpns work. 18:46 < krzee> i dont use NAT on my vpns 18:47 < krzee> think of a vpn as a network cable running from 1 location to the other 18:47 < krzee> only, its a virtual cable which goes over the inet using encryption 18:47 < krzee> in openvpn's case, that encryption can be customized and strengthened like arnold on roids 18:48 < ecrist> miggyb: look into sftp - it's FTP via ssh. 18:48 < miggyb> ecrist: truth be told, i kind of hate ftp. i've had bad experiences with it. :) 18:49 < krzee> ya sftp is another way to meet your goal if you arent 100% sure you want appletalk 18:49 < ecrist> miggyb: it's not ftp though, it's it's own protocol 18:49 < krzee> i would never use ftp, i use sftp often 18:49 < miggyb> krzee: so openvpn works at the "hardware" level, while ssh works at a higher level? 18:49 < ecrist> but, it gives you access to your files. 18:49 < ecrist> no, they're both application-layer. 18:49 < ecrist> erm, layer 6 18:49 < krzee> no, openvpn works either on link layer or network layer, depending if bridged or routed 18:49 < ecrist> transport 18:50 * ecrist goes for his book 18:50 < ecrist> layer for - transport 18:50 < ecrist> lol, four 18:50 < krzee> bridged mode is like hooking that cable into the LAN switch 18:50 < miggyb> well, i put hardware in quotes. i know you don't need a "vpn card." but having a software interface that looks like a hardware interface has it's benefits, then/ 18:50 * ecrist is drinking 18:50 < miggyb> i'm not that good with the terminology. 18:51 < krzee> have you read the howto and the faq? 18:51 < krzee> they are a big read but a lot of understanding can be gained from them 18:51 < ecrist> miggyb: openvpn isn't what you need - SFTP is your ticket. 18:51 < miggyb> krzee: i did. but this was a while ago and i could probably use a refresher 18:51 < ecrist> unless you want access to your lan, then openvpn is it. 18:51 < krzee> ecrist is right, although you can use openvpn (and i do for the same stuff you mention) it can be done easier with sftp 18:52 < miggyb> ecrist: part of the reason why i want to set it up using appletalk is so i could listen to my itunes library locally and on the road. the OS just sees a mounted volume called "music" and it doesn't know whether it's local or not 18:53 < ecrist> miggyb: You should have said you were on a mac - gimme a sec. 18:53 < miggyb> if anything, i'd be more open to samba/nfs, but samba has performance issues, and nfs isn't as integrated into the os 18:53 < miggyb> ecrist: sure 18:54 < ecrist> miggyb: look into ExpanDrive - it'll allow you to mount an SFTP share on your mac. 18:54 < krzee> but also 18:54 < ecrist> also, NFS is pretty much a core technology, it's VERY integrated. 18:55 < krzee> the openvpn setup for your needs is most simple to setup 18:55 < krzee> so if you would like to play with openvpn anyways, thats a good setup to get your feet wet with 18:55 < ecrist> if you're on linux or FreeBSD, look in to FuseFS 18:57 < miggyb> so what would be easier to set up, sftp or openvpn + smb/appletalk/nfs/etc 18:57 < miggyb> this is on freebsd 18:57 < ecrist> miggyb: there's no setup for sftp 18:57 < krzee> his way 18:57 < ecrist> enable ssh, and you're done. 18:58 < ecrist> use ExpanDrive on your mac, done deal. 18:58 < krzee> sftp is a subsystem of ssh 18:58 < krzee> if you can ssh, you can sftp 18:58 < ecrist> usually 18:58 < krzee> well ya 18:58 < krzee> it can be disabled 18:59 < krzee> but youd hafta try to do that 18:59 < ecrist> as long as you have "Subsystem sftp /usr/libexec/sftp-server" in youre /etc/ssh/sshd_config 18:59 < krzee> default on fbsd (system or ports) will have it enabled 18:59 < miggyb> so performance is essentailly the same as scp? 19:00 < ecrist> miggyb: scp and sftp use the same subsystem. 19:01 < ecrist> just different invokations. 19:01 < ecrist> also, KDE has built-in support for it, so you can call file systems with a standard URI (sftp://user@host:/this/directory) 19:02 < ecrist> in thinks like KDevelope, Kuanta, etc. 19:02 < miggyb> hmm. i'm going to have to give this some thought. paying $30 bucks for something that i could have for free seems kind of... "wasteful," in a sense. 19:03 < ecrist> ok 19:03 < miggyb> is there a FUSE plugin for sftp? 19:03 < krzee> i believe so 19:04 < ecrist> miggyb: yes 19:04 < ecrist> I mentioned that, above. 19:04 < ecrist> 18:55 < ecrist> if you're on linux or FreeBSD, look in to FuseFS 19:04 < miggyb> oh, sorry. 19:05 < miggyb> haha. i've been having problems with only half-reading material. 19:05 < miggyb> i'm going to get conned out of something one of these days. 19:06 < ecrist> you know, though, it *is* polite to read everything that's being said, especially when you're asking for help. 19:06 < ecrist> :\ 19:07 < miggyb> ecrist: i know. i apologize. i sincerely do appreciate the help you and krzee have given me. i wouldn't have considered sftp before this, but now, it seems as though it might be a viable solution. 19:08 < ecrist> sftp/scp/ssh is the most under-used utility I know. 19:09 < miggyb> ecrist: there's an entire generation of computer users that are afraid of using the terminal. i'm not saying i'm about to give up a nice GUI, but i also know some things are best typed out. 19:11 < miggyb> however, i need to crack open my laptop. i bought a 250gb drive for it and i can't wait to have that extra space. 19:11 < krzee> sftp isnt only CLI 19:12 < krzee> cyberduck is free for osX 19:12 < krzee> it supports sftp 19:12 < miggyb> again, thanks for all the help, and i'm sorry i skipped over that message. it was really an honest mistake, i didn't mean anything malicious from it. 19:12 < miggyb> krzee: i'll keep that in mind 19:13 < miggyb> goodbye, all. 19:13 -!- miggyb [n=miggyb@cpe-069-134-035-139.nc.res.rr.com] has quit ["leaving"] 19:13 < krzee> adios 19:13 * krzee high 5's ecrist 19:13 < krzee> drinking and still bustin out answers 19:13 < ecrist> lol 19:14 < ecrist> I'm a bottle deep in wine and 3 beers down the hatch! 19:14 * ecrist thinks of some Homer-isms. 19:14 < krzee> hah 19:15 < krzee> go for the fat bastard 19:15 < krzee> look at it and yell "get in mah belly" 19:20 * ecrist goes to start the grill 19:22 * krzee decides what discoteca to go to tonight 19:34 -!- krzee [i=krzee@unaffiliated/krzee] has quit ["bbl"] 20:34 -!- highzeth [n=highzeth@hoiseth.no] has quit [Read error: 104 (Connection reset by peer)] 21:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:33 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:33 -!- krzie [i=nobody@unaffiliated/krzee] has left ##openvpn [] 23:40 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 23:40 < krzee> !learn krzee as http://www.ircpimps.org/pimpin.jpg 23:40 < vpnHelper> krzee: Error: "learn" is not a valid command. 23:41 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 23:41 < krzee> is too! 23:45 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 23:46 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 23:52 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 23:52 < krzee> !help 23:52 < vpnHelper> krzee: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 23:53 < krzee> !help learn 23:53 < vpnHelper> krzee: Error: There is no command "learn". 23:53 < krzee> !learn krzee 23:53 < vpnHelper> krzee: Error: "learn" is not a valid command. 23:53 < krzee> !help rss 23:53 < vpnHelper> krzee: (rss []) -- Gets the title components of the given RSS feed. If is given, return only that many headlines. 23:53 < krzee> !rss 23:53 < vpnHelper> krzee: (rss []) -- Gets the title components of the given RSS feed. If is given, return only that many headlines. 23:53 < krzee> !rss feed://feedity.com/rss.aspx/sourceforge-net/V1pVV1A 23:53 < vpnHelper> krzee: Unable to download feed. 23:53 < krzee> hrmz 23:54 < krzee> !quit 23:54 < vpnHelper> krzee: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 23:54 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 23:59 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn --- Day changed Thu Aug 07 2008 00:00 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 00:01 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 00:15 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Remote closed the connection] 00:15 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##openvpn 00:15 < krzee> sorry for the rehashing 00:36 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit ["I was just trying to help!"] 00:53 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 01:54 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has joined ##openvpn 02:04 -!- MrY [n=mry@70.42.255.230] has joined ##openvpn 02:04 -!- MrY [n=mry@70.42.255.230] has left ##openvpn [] 02:22 < kraut> moin 02:25 < krzee> hey 02:28 < wyze> is there any short answer to explain the cause of this error? 02:28 < wyze> us=228709 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 02:28 < wyze> us=230588 TLS Error: TLS object -> incoming plaintext read error 02:29 < wyze> us=997579 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 02:29 < krzee> heh ran into that one earlier 02:29 < krzee> you defining cipher manually? 02:30 < wyze> yep 02:30 < krzee> try commenting that out 02:30 < krzee> on both client and server 02:30 < krzee> then stop and start each 02:35 < wyze> no luck 02:37 < wyze> krzee: are you on debian by any chace when you experienced the issue? 02:43 < krzee> it wasnt me 02:43 < krzee> it was another person 02:43 < krzee> they were using pfsense and freebsd 02:43 < krzee> seemed 1 side didnt support the cipher he used 02:44 < krzee> have you made sure ntpdate time.nist.gov didnt show your time as being off on client/server/machine used to gen certs? 02:44 < krzee> cert files look fine? 02:44 < wyze> krzee yes to both 02:46 < krzee> temp comment tls-auth? 02:46 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < krzee> are you using network manager? 02:49 < krzee> are you using ns-cert-type command in client? if so try commenting it 02:50 < wyze> no, i'm going from debian client > debian server 02:51 < wyze> has to be a debian issue... my configuration works flawlessly on fedora and freebsd 02:51 < krzee> you dont have openssl old enough that its still effected by that debian specific ovpn problem do you? 02:51 < wyze> nope 02:51 < krzee> err not ovpn 02:51 < krzee> ossl 02:52 < krzee> post your configs in pastebin 02:52 < wyze> i have 0.9.8g12 02:52 < wyze> 1 sec... 02:53 < krzee> also try those 2 things i suggested 02:53 < krzee> ill brb 02:53 < krzee> gotta reboot 02:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:08 < wyze> w00t 03:08 < wyze> looks like its resolved ;) 03:09 < krzee> any luck with the testing of commenting tls-auth, ns-cert type? 03:09 < krzee> ahh what was it? 03:09 < wyze> not sure actually.. :o 03:09 < krzee> erm 03:09 < krzee> what did you do? 03:09 < wyze> 1 sec... lemme review what i did again... 03:11 < wyze> i think it was a combination of time sync and switching from tap to tun w/ifconfig options 03:12 < wyze> attributes* 03:12 < wyze> cipher works also with AES-256-CBC too 03:14 < wyze> krzee: question... given that in this instance, i'm running this from a debian installation on my openmoko phone (client), is there any way that you know of to bypass issues if the client isn't sync'd for its system clock? 03:15 < wyze> the phone hw clock tends to get of beat 03:22 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has left ##openvpn [] 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:57 < ecrist> morning, folks. 06:58 < cpm> morn'n 07:50 -!- highzeth [n=highzeth@hoiseth.no] has joined ##openvpn 09:25 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 09:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:50 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 09:53 -!- Irssi: ##openvpn: Total of 28 nicks [0 ops, 0 halfops, 0 voices, 28 normal] 09:58 -!- Lin [n=igormorg@unaffiliated/lincity] has quit ["Ex-Chat"] 10:17 -!- fozzmoo [n=fozz@209.41.95.5] has left ##openvpn [] 10:38 -!- afrayedknot [n=user@sourcemage/elder/afrayedknot] has joined ##openvpn 10:41 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has joined ##openvpn 11:32 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 11:50 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 12:14 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 12:17 < intangir> does the dns setting work on linux? 12:21 < intangir> i put this in my config: dhcp-option dns 192.168.1.1 12:21 < intangir> but it never gets set 12:21 < intangir> also most of the routing changes are changed BEFORE the connection is even established.. 12:21 < intangir> which complicates matters 12:38 < ecrist> intangir: all those settings should work fine on linux 12:49 < n3kl> Is it possible to setup a mirror port on openwrt? 12:52 < ecrist> you should ask openwrt 12:53 < intangir> ecrist: well it didnt 12:53 < intangir> i added commands to crontab to add the name server to /etc/resolv.conf 12:54 < intangir> who wants to hear about a rather unusual possibly unique set up ;) 12:55 < ecrist> enlighten us 12:55 < intangir> check it out.. my work has everything outgoing blocked except port 22 12:55 < intangir> everything in blocked 12:56 < intangir> so.. i use autossh to establish a ssh tunnel to my home machine on 22 12:56 < intangir> and port forward local 1194 to my home machine 12:56 < intangir> i use openvpn over tcp over that tunnel 12:57 < intangir> on both sides i setup the routing to allow my home machine to get to any server at work 12:57 < intangir> and my work machine to get to any machine at home 12:57 < intangir> and the ENTIRE INTERNET 12:57 < intangir> so i can use the whole internet without anyone at work seeing ;) 12:57 < intangir> both sides of my vpn tunnel allow nat for the other client 12:58 < intangir> its a ptp 13:02 < intangir> sounds simplier with that explaination but it was a pretty huge pain in the ass to setup 13:06 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:22 < ecrist> glad you got it figured out, intangir 13:22 -!- Irssi: ##openvpn: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal] 13:55 < intangir> http://www.youtube.com/watch?v=h6HLTBwCFO0 14:04 -!- xattack [i=root@132.248.108.239] has quit [Remote closed the connection] 14:16 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:21 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 14:29 < ecrist> SilenceGold: I've got svn setup and current sources for ssl-admin commited, if you're still willing to write man pages. 14:30 < ecrist> or contribute to the code. 14:46 < intangir> hey guys 14:46 < intangir> ok so i trold you about that interesting setup.. 14:46 < intangir> hes my dilema 14:46 < intangir> i have to setup a special route, so that i can connect that tunnel that my openvpn is over 14:46 < intangir> then i setup a default route for all traffic to go over that 14:47 < intangir> the only IP that DOESNT go across the VPN (so the only one i cant access) 14:47 < intangir> is the website being hosted on the other side of this vpn tunnel 14:47 < intangir> i cant route it.. cause then i cant connect the tunnel.. 14:47 < intangir> i want to connect to its port 80 14:47 < ecrist> intangir: you can do it, but it's going to be a really funky rule set. 14:47 < intangir> how? 14:50 < ecrist> lots of routes. 14:51 < intangir> its like i need to route it on one gateway if its port 22 14:51 < ecrist> properly subnet the internte in push route statements. 14:51 < intangir> or route it on another gateway if its 80 14:51 < ecrist> intangir: that sounds like a pf thing. 14:51 < ecrist> use pf with rdr rules. 14:51 < intangir> whats pf and rdr? 14:51 < ecrist> pf is a firewall, avail on *BSD. 14:52 < ecrist> you couple probably do the same thing with ipfw and ipchains, but I'm not as familiar with those. 14:52 < ecrist> or, do it with local ssh tunnels. 14:52 < intangir> i have thought about ssh tunnels i dont thinkt heres a way 14:52 < intangir> maybe the ip. tables/chains 14:53 < intangir> i always forget which is the nwer 14:53 < intangir> tables 14:57 < rob0> You want a remote IP (routable, non-NAT'ed) to be bound over openvpn? 14:57 * rob0 has done that and posted a Linux-centric HOWTO on the mailing list 14:57 < ecrist> rob0: other way around. 14:58 < ecrist> he want's openvpn to be default, restrict certain ips to local 14:58 < rob0> In Soviet Russia, IP's restrict YOU 14:59 < cpm> yeah, they do that here 14:59 < cpm> :) 14:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:49 < intangir> iptables -t nat -A PREROUTING -p tcp -d intangir.org --dport 80 -j DNAT --to-destination 10.8.0.1 15:49 < intangir> thats what i used ;) 15:49 < intangir> changes the IP for packets to my vpn hosts WAN ip to instead use the vpn ip 15:49 < intangir> only for port 80 15:50 < ecrist> there ya go 15:50 * ecrist goes home 16:02 < intangir> is there a way to check if im getting fragmentation issues? 16:02 < intangir> i have the mtu for both my eth0 and tun0 as 1500 16:10 < kexman> intangir: what did you do that for ? 16:11 < kexman> ecrist: ipchains ? :) are you serious ? :))) 16:11 < kexman> that thing still exists ? 16:11 < kexman> didnt netfilter came up with iptables ? 16:21 < intangir> kexman: so i can http onto the vpn server 16:24 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 113 (No route to host)] 16:50 < kexman> hmm ? 17:40 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 18:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:07 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 18:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:36 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 18:36 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [] 18:37 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 18:38 < Valect> i need help getting openvpn working on freebsd over a tap device 18:38 < Valect> here's my config and ifconfig output: http://pastebin.ca/1095168 18:39 < Valect> i don't see anything wrong with it, but i can't actually reach the service 18:50 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [Remote closed the connection] 18:50 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 19:00 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:43 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 20:26 < Valect> :| 21:11 < ecrist> Valect: have some patience. 21:11 < ecrist> :] 21:12 < Valect> it's only been 2.15 hours 21:12 < Valect> maybe 2.5 21:12 < Valect> too lazy to count 21:12 < ecrist> right, while my nick is present, I'm often not here - similar to many others. 21:12 < ecrist> I'm looking at your pastebin now. 21:12 < Valect> lol i know, just giving shit 21:15 < ecrist> so, is your config not working? 21:15 < Valect> openvpn doesn't complain about it 21:15 < Valect> Thu Aug 7 19:15:36 2008 OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Jul 1 2008 21:15 < Valect> Thu Aug 7 19:15:36 2008 TUN/TAP device /dev/tap0 opened 21:15 < Valect> Thu Aug 7 19:15:36 2008 /usr/local/etc/openvpn/scripts/create-bridge-on-start.sh tap0 1500 1590 init 21:15 < Valect> Thu Aug 7 19:15:36 2008 UDPv4 link local (bound): [undef]:1194 21:15 < Valect> Thu Aug 7 19:15:36 2008 UDPv4 link remote: [undef] 21:15 < Valect> Thu Aug 7 19:15:36 2008 Initialization Sequence Completed 21:16 < ecrist> ok, so, you can start openvpn, can your clients connect? 21:16 < ecrist> please don't paste here. 21:16 < Valect> no 21:16 < Valect> i can't access port 1194 locally either, using 127.0.0.1, 192.168.1.11, or 192.168.5.11 21:16 < ecrist> can you show me a client config, via pastebin? 21:16 < ecrist> and, after openvpn has been started, show me sockstat output. 21:17 < Valect> http://pastebin.ca/1095270 21:17 < Valect> oh snap i'm retarded 21:17 < Valect> i always try to telnet udp ports 21:18 < ecrist> yeah, you can't do that. 21:18 < Valect> here's a client config 21:18 < Valect> http://pastebin.ca/1095272 21:20 < ecrist> ok, sockstat shows port 1194 is listening. 21:20 < ecrist> are you running a firewall? 21:20 < Valect> i'm checking out the firewall.. it may have decided to take back over 21:22 < Valect> so this openvpn is behind our firewall.. would i have to setup a rule to forward 1194 to 192.168.1.11 or 192.168.5.11 21:23 < Valect> because neither is working 21:23 < Valect> but i want to be sure before i start messing with other things 21:24 < ecrist> you would have to forward upd:1194 in to your openvpn server, yes 21:25 < Valect> yea but to which interface 21:25 < ecrist> either one - openvpn is listening to both. 21:25 < Valect> k 21:31 < Valect> i'm starting to think pfsense is lieing to me 21:33 < ecrist> I'm thinking you have a firewall issue, and not an OpenVPN issue. 21:34 < Valect> at this point i would have to agree 21:34 < Valect> but you see no problems with my configs? 21:34 < Valect> that's what i wanted to verify 21:35 < ecrist> no problems with the config I can see. 21:35 < Valect> cool 21:35 < Valect> thanks 21:35 < ecrist> np 21:36 < ecrist> weren't you asking this same stuff in ##freebsd earlier today? 21:36 < ecrist> ;) 21:39 -!- near [n=near@83-156-241-63.rev.libertysurf.net] has joined ##openvpn 22:03 < Valect> almost 22:04 < Valect> i was asking about the bridge and tap device part 22:58 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [] 23:01 < _aia_> any reason why I'm getting Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 23:18 < _aia_> getting failed to update databas TXT_DB error number 2 when I try to create another client 23:18 < _aia_> server connects fine --- Day changed Fri Aug 08 2008 00:23 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 00:23 < Valect> anyone still here? 00:29 -!- bandini [n=bandini@host44-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 00:44 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has joined ##openvpn 00:44 < wyze> krzee: ping 01:13 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:17 < Valect> ahoy wyze 01:17 < wyze> :o 01:18 < Valect> you in vegas? 01:21 < wyze> hell no 01:21 < wyze> i might go saturday 01:21 < Valect> lol 01:28 < Valect> omg!? 01:28 < Valect> i think i finally got openvpn working 01:30 < Valect> hrm not quite 01:30 < Valect> it's connected at least, but now i have to figure out why i can't reach anything on the smae subnet 01:30 < Valect> smae 01:30 < Valect> same 01:42 < wyze> iptables? 01:43 < wyze> and are you pushing dns to the cient? 01:44 < Valect> no, and yes 01:44 < Valect> but i'm trying to reach an IP anyway 01:44 < Valect> i will worry about dns later :x 01:45 < wyze> u should edit your... umm, which os is the server? 01:45 < Valect> freebsd 01:45 < wyze> u need a echo 1 > /proc/sys/net/ipv4/ip_forward 01:45 < wyze> and 01:45 < wyze> iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123 01:45 < wyze> iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123 01:45 < wyze> iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123 01:46 < wyze> where 123.x.x.x.x is your ip 01:46 < wyze> and where the 192.x.x.x addy are the ones being distributed to the clients 01:46 < Valect> there's no iptables in play 01:46 < wyze> ah thats right.. 01:47 < Valect> and i can't remember if freebsd has an ip_forward thing 01:49 < wyze> are u using pf at all? 01:50 < Valect> pf is on the firewall in front of it, and 1194 is mapped to it 01:50 < wyze> try this... tweak to your needs.. 01:50 < wyze> http://pastebin.ca/index.php 01:51 < Valect> heh 01:51 < wyze> i had it running on openbsd some time ago, but disabled it... that tidbit was from some note si had 01:51 < Valect> try again :) 01:51 < Valect> pastebin.ca echos the url instead of forwarding you to it 01:51 < wyze> http://pastebin.ca/1095430 01:51 < wyze> duh 01:52 < Valect> :p 01:52 < wyze> 234239864 things going on @ once 01:52 < Valect> >.< 01:52 < wyze> none of them good either 01:52 < Valect> not fun 02:03 < Valect> i suspect this may be part of my issue 02:03 < Valect> E:\Documents and Settings\Aaron>tracert 192.168.10.11 02:03 < Valect> Tracing route to 192.168.10.11 over a maximum of 30 hops 02:03 < Valect> 1 * * * Request timed out. 02:08 < Valect> whoa 02:09 < Valect> i added 02:09 < Valect> ifconfig 192.168.10.1 192.168.10.2 02:09 < Valect> push "route 192.168.10.1" 02:09 < Valect> and it works 02:10 < Valect> the push route wasn't even needed 02:10 < Valect> :s 02:12 < wyze> ahhh 02:12 < wyze> u know what, i had a similar issue last night 02:13 < wyze> i got openvpn running on the debian sd install on my neo and that was a factor i neglected 02:15 < Valect> i'm not even sure i understand *why* that line works 02:15 < Valect> but at least it does 02:16 < Valect> now i have to get samba working over openvpn 02:47 -!- wyze [n=swc|666@unaffiliated/swc666/x-4934821] has left ##openvpn [] 03:06 < krzee> intangir, http://help.expedient.com/broadband/mtu_ping_test.shtml 04:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:35 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [Read error: 110 (Connection timed out)] 05:35 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 05:44 -!- pinchartl [n=User@49.198-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 05:44 < pinchartl> hi 06:12 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [Read error: 110 (Connection timed out)] 06:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:26 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 07:05 < ecrist> morning, kids 07:05 -!- Irssi: ##openvpn: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 normal] 07:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:15 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 07:17 < rmull> I wonder where Taishi's gone. 07:39 * ecrist doesn't know. 07:40 < rmull> In happier news, my openvpn has 30 days of uptime 07:41 < ecrist> grats. 07:42 < ecrist> ours has been running since May 3, 2008. 07:42 < ecrist> :) 07:43 < rmull> Ahh very nice 07:43 < rmull> Hey, you changed the topic? 07:43 < ecrist> at some point, yeah 07:44 < rmull> No more "fascinating HOWTO?" haha. 07:44 < ecrist> lol 07:44 < rmull> I haven't been around these parts in a few days 07:44 < rmull> Been hanging out in #nginx 07:44 < ecrist> ah, yeah, I changed the topic on Aug 1 07:44 < ecrist> what's that? 07:44 < rmull> It's a really fast http server/reverse proxy, built in Mother Russia 07:45 < rmull> We're using it to provide a single entry point for all the external access to our HTTP servers, but we're serving out a wildcard ssl cert with it as well 07:46 < rmull> So basically we're using it to reduce our exposure and encrypt all outside access to our webservers 07:46 < rmull> And benchmarks show it to be crazy fast, so that's cool too. 07:46 < ecrist> sounds neat. 07:46 < rmull> Damn right :D 07:46 < ecrist> Big IP has an appliance that does similar things. 07:47 < rmull> We're just a ~15 employee firm though, so I don't think we need to drop the money on something too serious 07:47 < rmull> I talk to a guy who works at F5 pretty regularly - he works on the Big IP device and has some good things to say about it 07:48 < rmull> Personally, I'm more interested in the model that appears in the rotation of images they have on their homepage: http://www.f5.com/images/home/home004.jpg 07:48 < ecrist> there's a guy in our data center (he hosts ilounge, amongst others) who has 5 Big IPs and uses them for SSL proxying. 07:48 < rmull> :D 07:49 < pinchartl> rmull: sounds interesting. I'll give it a try. we're a 20 employee firm and nobody seems to be interested in security here :-( 07:49 < pinchartl> we develop networking-aware products, and their idea of tcp security is a 16bit password on a clear connection 07:50 < rmull> pinchartl: It's definitely worth looking into. I just have it running in a VM with 128M RAM allocated, and the machine idles at 11-12M (CentOS) 07:50 < rmull> ecrist: Any idea of how much traffic that setup sees? 07:51 < ecrist> rmull, I think he said he's seeing a consistent 140Mbps 07:51 < rmull> Wow, that's big-time. 07:51 < rmull> Yeah, we're not at that level and probably never will be :D 07:51 < pinchartl> speaking of wildcard ssl certs, how do you do that ? 07:51 < ecrist> pinchartl: set CN to *.hostname.com 07:51 < pinchartl> I got a few CNAME records pointing to the same http server with virtual hosting enabled 07:51 < pinchartl> ok 07:52 < ecrist> not recommended, though. 07:52 < pinchartl> do you know if subjectAltName can be used to specify alternate names for virtual hosts ? 07:52 < rmull> Yeah, that's the one shortcoming - one cert for all sites 07:52 < ecrist> for a hosting provider, that is. 07:52 < ecrist> yes, I believe so. 07:53 < rmull> But afaik, there's no way to use multiple certs, one for each vhost or proxied host, right? 07:53 < rmull> If it's served from a single IP 07:53 < ecrist> you can, but they've got to have their own IP. 07:54 < pinchartl> there's actually an SSL extension to do that, but it's not supported in openssl 0.9.8 07:54 < pinchartl> 0.9.9 should work 07:54 < rmull> Is it supported by browsers, or does it not matter on the client end? 07:54 < pinchartl> it's a kind of Host: header at the SSL level 07:54 < pinchartl> so clients will have to be upgraded 07:54 < rmull> Okay. Glad to hear it's in the works 07:55 < pinchartl> but I think IE already supports and, and maybe Firefox as well 07:55 < pinchartl> the other standard option is to issue an UPGRADE http command on a clear connection after sending the Host header, but that has never been widely deployed 07:59 < rmull> I just upgraded to Firefox 3 and was amazed at the new treatment of self-signed certs 07:59 < rmull> I saw the hullabaloo on slashdot when it hit the news, but I hadn't experienced it until just recently 07:59 < pinchartl> they tightened their security procedures 08:00 < pinchartl> not a bad thing 08:00 < pinchartl> it should also dropped ill-formed html/xhtml :-) 08:00 < pinchartl> s/dropped/drop/ 08:00 < rmull> Lol 08:01 < rmull> I ran a wordpress installation I'm running for a LUG through the validator and it had something like ~80 errors 08:01 < rmull> Should probably swich to a CMS with less bullshit 08:01 < ecrist> pinchartl: I think the way firefox handles self-signed certificates is misleading. 08:01 < pinchartl> if all internet browsers had an html/xhtml validator built-in websites designers would fix them 08:01 < pinchartl> ecrist: why ? 08:01 < ecrist> we fix ours her. 08:01 < ecrist> here* 08:02 < pinchartl> I've recently found a website with two s 08:02 < rmull> pinchartl: Moinmoin has the "validated xhtml" logo on the bottom of their pages, but if you actually run it through the validation, it fails. :P 08:02 < ecrist> pinchartl: they *overly* imply that the site they user is connecting to is dangerous/fraudulent. 08:02 < rmull> ecrist: I think I agree with you for the most part 08:03 < rmull> I just get constantly nagged by the "trust" aspect of SSL 08:03 < rmull> But it costs so much to be trusted 08:03 < rmull> And anyone with money seems trustworthy. 08:03 < ecrist> I think, if they gave you a yellow bar, similar to the one they have for "do you want me to remember this password" indicating that, while the connection was encrypted, the site's identity cannot be verified" would be sufficient. 08:03 < ecrist> rmull: exactly. 08:03 < rmull> That would be acceptable to me. 08:04 < pinchartl> ecrist: the risk my be overstated by Firefox, but that's better than understating it :-) 08:04 < ecrist> pinchartl: that doesn't make it less wrong, on the part of mozilla. 08:04 < ecrist> Safari does it nicely, without a lot of doom and gloom. 08:04 < cpm> yeah, that's pretty funny. I'd *love* to see an analysis of ssl certificate fraud. Where 'untrusted' certificates actually caused loss, relative to 'trusted' certificates that were acquired via fraudulent means. 08:05 < cpm> There are cases where folks paid good money to acquire certificates in another companies name. using faked letter head kinda stuff. 08:05 < ecrist> I have IT people here, who, when they started using Firefox 3, thought we were having internal website problems because the ssl error wasn't friendly, at all. It's similar to a connection failed, 404, etc. 08:05 < rmull> cpm: Lol, letter-head verification cracks me up 08:06 < ecrist> yeah, no doubt. 08:06 < cpm> that I'll bet lead to losses greater than whatever losses were had by 'untrusted' certificates. 08:06 < pinchartl> ecrist: that's right. we've been bitten by that too 08:06 < cpm> rmull, goes to show that the only think 'trusted' CAs care about is the money. 08:07 < rmull> For my personal stuff I've been using cacert.org 08:07 < ecrist> I'm a proponent of self-signed certificates. In the case of my networks, I control, 100%, the certificate chain. for better or for worse. All I've got to do is make sure the root CA certificate is installed on the client machines, and there are no problems. 08:07 < cpm> ecrist, I'm not so keen on self signed, esp since there are alternatives. 08:08 * cpm uses CACert.org certificates 08:08 < rmull> I support that :D 08:08 < ecrist> lol, cacert.org uses an invalid certificate, according to ff3. 08:08 < ecrist> no different than my self-signed ones. 08:09 < rmull> ecrist: You don't have the root cert installed in your browser 08:09 < cpm> ecrist, that's right. FF (moz in general) will not accept it, by default (you can install the root ca) because they claim the model isn't trusted. 08:09 < cpm> Because it's a chain of trust, rather than a chain of cash. 08:09 < rmull> It's installed by default in a couple of more obscure browsers, but not yet in FF. 08:09 < ecrist> right, so using cacert.org is no different than signing my certificates myself. 08:10 < cpm> certificates have to be signed by verified 'Persons', rather than faceless corporate entities. 08:10 < cpm> ecrist, no, it isn't the same. 08:10 < ecrist> sure it is. 08:10 < cpm> no, it isn't. 08:10 < ecrist> sure it is. 08:10 < cpm> how is it the same? 08:10 < cpm> I have no earthly idea who you are. In fact, I have no idea that you actually exist. 08:11 < cpm> no one have verified that you exist. 08:11 < ecrist> exactly, same goes for cacert. 08:11 < cpm> Not at all. 08:11 < cpm> in order to get a certificate, you have to submit a csr, as a verified person, known. 08:11 < cpm> the csr is traceable to you. 08:12 < ecrist> yep 08:12 < ecrist> it's a matter of who you trust to do the initial, root, verification. 08:12 < cpm> the certificate granted is on a sliding scale of trust, depending on how many signatories have signed your signing key. 08:12 < cpm> Exactly. 08:13 < rmull> I use them because it's more likely that people will have that cert installed. Because many people use CACert, many people may have already installed the root cert. If they haven't, I would like them to so that CACert gets more publicity. 08:13 < ecrist> in our organization, I'm the network administrator. I'm trusted, exclusively, for all network decisions, included who/what gets on the network. As such, I've created our organizational root certificate. 08:13 < ecrist> VPN certs, etc, all pass through my hands. 08:13 < cpm> in order to get a cacert certificate. You have to be a known person, that some other known person has vouched for. Actually, not exactly true. You can get a certificate without being vouched for, but it will have no trust credential.s 08:13 < rmull> ecrist: Running an in-house CA is not "recommended" though, no? 08:14 < ecrist> rmull: wrong. 08:14 < ecrist> why wouldn't it be recommended? 08:14 < ecrist> why do you think *most* ssl-enabled programs, OpenVPN included, don't have a pre-established group of trusted certificates? 08:14 < rmull> Hmm. 08:14 < ecrist> the browser industry in a scam when it comes to SSL. 08:15 < rmull> That's a fact, which is why I went with CACert :P 08:15 < ecrist> the only reason the big CAs are *trusted* is because they paid money. 08:15 < ecrist> rmull: CACert is no different, and they do *less* to verify identity than the others. 08:15 < cpm> self signed works okay. Again, I think the actual incidence of compromise have come from 'trusted' cas, rather than self signed. Self signed opens the door wide to mtm attacks. but these are relatively rare. And I'm personally not aware of one. 08:15 < ecrist> as such, my argument stands. 08:16 < cpm> ecrist, not so. You are misinformed on this. 08:16 < cpm> they do NOT do less. In fact, they do more. 08:16 < cpm> the only thing 'the others' do, is take money. 08:16 < ecrist> cpm, I've read through all the emails and blogs regarding cacert.org's attempt to get included in mozilla applications. 08:16 < cpm> you want it, you pay for it, you get it. Then end. 08:17 < cpm> ecrist, lotta straw men in those arguments. 08:17 < ecrist> cpm? 08:17 < ecrist> the only thing you gain by going to an outside CA is a chain that's only conveniently trusted. 08:18 < cpm> No. Again, not so. 08:18 < cpm> you remove the mitm attack vector. 08:19 < pinchartl> I use self-signed certificates internally too. no major issue, except that I had to recreate all my certificates at some point because I made a mistake in the root CA certificate :-) 08:19 < ecrist> well, I think we're going to have to agree to disagree on this one, cpm. 08:19 < ecrist> cpm, where's the mitm attack on a self-signed certificate, if the root CA is pre-configured on client machines? 08:19 < cpm> ecrist, sure. When you get your facts straight. I will agree to disagree. The statement that a self signed, and a cacert.org signed certificate are of the same security level is demonstrably false. 08:19 < rmull> Even if they're not any more trustworthy than paid-for CAs, if there's a possibility that they'll eventually be included in popular browsers because a lot of people use them and they have a solid ID verification process, I support that it's the best option for a free non-self-sign SSL solution. I'd like to see them be included in popular browsers. 08:20 < ecrist> the only real disadvantage is that they're not pre-included in web browsers. 08:20 < ecrist> cpm, I *do* have my facts straight. 08:20 < cpm> but to the overaching point that self-signed is good enough. No argument. 08:21 < cpm> a cacert.org certificate is signed by a third party. A self signed is not. They are not equivalent. 08:21 < pinchartl> the reason why big CAs are trusted is that they are supposed to verify your identify when you submit a CSR. in theory they do, in practice they are often careless. as CA cert is free, there is no way they can dedicate the necessary resources to perform this kind of verification 08:21 < rmull> self-signed may be good enough for purely internal things, but for everything else, cacert is a better option. 08:21 < ecrist> part of my point, cpm, is *why* should I trust XYZ CA? 08:21 < cpm> ecrist, depends. 08:21 < cpm> doesn't it? 08:21 < ecrist> that's just it. 08:22 < ecrist> that's the majority of my point. 08:22 < cpm> but from a crypto analysis standpoint, they cannot be equivalent. 08:22 < ecrist> there's no good reason to trust them other than I've been told to. 08:22 < cpm> sure there's good reason. but you are splitting hairs. Do you trust the math behind ssl in the first place? 08:22 < ecrist> cpm, I'll conceed that issue - is a third party-verified certificate better than one that's not? of course. 08:23 * cpm bows to ecrist 08:23 < ecrist> where my issues lie is in *who* that third-part is. who the fuck is XYZ CA? I don't know them. I don't know the people who make the decisions. 08:23 < ecrist> I'd rather have my Mom, and her self-signed CA by my third-party, than XYZ CA. 08:24 < ecrist> s/by/be 08:24 < ecrist> cpm, SSL serves two uses - encryption and identification. 08:25 < ecrist> we're arguing identification, there are few issues with encryption. 08:25 < ecrist> now, a lot of the identification stuff could be solved if there were a flag in SSL certs to say, this is an encryption-only certificate. 08:25 < cpm> true dat. in the case of encryption (I think) it's nearly identical. As your point illustrates. 08:25 < rmull> We're forgetting that CACert has "levels" of trust: http://www.cacert.org/index.php?id=19 08:26 < ecrist> which would turn off all the doom-and-gloom errors in browsers, with just a warning, as I mentioned previously. 08:26 < cpm> rmull, I'm not. 08:26 < ecrist> me either. 08:26 * rmull takes it back 08:26 < cpm> ecrist, good point. 08:26 < cpm> which would be a nod to the practical aspect of 'the way things really are'. 08:27 < ecrist> right 08:27 < pinchartl> rmull: interesting 08:27 < ecrist> I use SSL on my sites not for identification, but for encryption. 08:27 < ecrist> banks, etc, *should* use them for both. 08:27 < ecrist> I could really care less if someone mitm my wikipeida password 08:28 < ecrist> my bank account password, otoh, is a different issue. 08:28 < rmull> ecrist: But according to your argument, how can banks use them for both if XYZ CA is unable to be trusted? 08:28 < cpm> well, that was fun. 08:28 < cpm> :) 08:28 < ecrist> rmull: that's the issue. people are sheep. 08:28 < cpm> rmull, it's possible to use ssl for indentification only, like the default gmail. 08:29 < ecrist> they trust XYZ CA because their browser tells them to. 08:29 < rmull> cpm: But all of us here say that SSL as ID is inherently broken. 08:29 < rmull> Trust is bought. 08:29 < rmull> And self-signed is no better. 08:29 < ecrist> in MY perfect world, when you open your bank account, you get a disk with the banks (third-party verified) root CA, which I would install to my browser. 08:30 < rmull> Let's talk about how broken credit cards are in their existing state when we're done :D 08:30 < ecrist> or RFID 08:30 < rmull> Seriously. 08:31 < cpm> in my perfect world, you don't sweat it. You, as a grown up, deal with someone else as a grown up, you asses the risk, pay yer money, take your chances. The End. The rest is all a bunch of hooey. 08:31 < ecrist> I've been working in the access-control industry for ~10 years now - it's scary how easy it is to break in to some places. 08:31 < rmull> That's not a bad philosophy. 08:32 < ecrist> cpm: that's the way most people do operation, in reality, myself included. 08:32 < cpm> The only contract I have any respect for, is a hand shake, anyone who will not trust a handshake is not trustworthy themselves, because they expect you to screw them, and I don't like dealing with people like that. I expect them to keep an eye on the loophole to try and screw me. 08:32 < ecrist> because my bank didn't give me a disk with their root ca, doesn't mean I don't use online banking. 08:32 < ecrist> ;) 08:32 < cpm> Break a deal, Face the Wheel! 08:32 < ecrist> cpm agreed. 08:37 < rmull> Man, the photos from the CERN supercollider are insane. 08:39 < rmull> http://cdsweb.cern.ch/collection/Photos?ln=en 08:39 < rmull> So much engineering. 08:49 * cpm loves that stuff 08:49 < cpm> that was a great big fuckup in my life. 08:49 < cpm> I was in the service back in the mid-80s, and I had it all planned out. 08:51 < cpm> back then, there was all this go-ahead money towards the Superconducting Super Collider (SSC) particle accelerator project down in texas. this thing was going to be about the size of manhattan. And pretty much the whole deal was done, they were even beginning escavation of the site about the time I was going to muster out of service. 08:51 < cpm> i was going to go to texas, sign on as a apprentice electrician, (I had the skillz) and do whatever the hell it took to stay on the project until it was active. 08:52 < cpm> then get a job as a plant managment electrician, they guy with the green work pants and shirt and all the keys to all the breaker panels. 08:52 < cpm> Be the dude who know the ssc as well as anyone alive. Work then until I died. 08:52 < cpm> that was my life goal. 08:52 < cpm> The cancelled it, of course. 08:52 < cpm> http://en.wikipedia.org/wiki/Superconducting_Super_Collider\ 08:53 < cpm> and that's my story. 08:53 < cpm> now I'm just a broken down, fat, grey haired sysadmin. 08:54 < rmull> That's mildly depressing :\ 08:58 < cpm> heh 08:59 < ecrist> lol 09:03 < pinchartl> "Mike Zusman, in his talk on Abusing SSL VPNs, revealed that he was able to successfully get a valid digital certificate for a subdomain in the Live.com domain (owned by Microsoft) from a Root CA provider that was not authoritative for the domain. This allowed him to insert a man-in-the-middle Live.com VPN connection without setting off certificate warnings." 09:03 < pinchartl> that's from blackhat 2008 09:05 < ecrist> wow 09:06 < ecrist> what ssl vpn software where they usnig? 09:06 < ecrist> using* 09:07 < ecrist> I wonder if that would work for OpenVPN. in the openvpn config, you have to specify a root CA certificate. as I understand, unless your certificate is signed by that specific CA, you don't get validated. 09:07 < ecrist> I guess, that's one other reason to have multi-factor authentication. 09:08 < ecrist> speaking of that, any of you guys played with the openvpn pam module? 09:13 < pinchartl> it's not a vpn software issue. the guy successfully bought an ssl certificate for a live.com subdomain from one of the big CAs without being affiliated with microsoft in any way 09:14 < ecrist> oh, was misreading it, then. 09:22 -!- eWizard [n=identd@88.222.138.61] has joined ##openvpn 09:24 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 09:25 < ecrist> rmull: was it you who was building the bot? 09:25 < rmull> ecrist: Probably not, a bot to do what? 09:26 * ecrist looks to logs 09:27 < ecrist> ah, it was krzee. 09:27 < rmull> Ah 09:27 < rmull> What did he want it to do? 09:27 < ecrist> I think it was going to log the chan or something. 09:27 < ecrist> he said mail-list, but I don't know what that would do for us. 09:30 < rmull> Hmm. 10:03 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 10:04 < ecrist> heya pumkinhed_ 10:05 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- pumkinhed_ is now known as pumkinhed 10:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:34 < ecrist> morning, krzee 10:51 < krzee> g'mornin 10:51 < krzee> head kinda hurts 10:51 < krzee> fun concert last night =] 10:56 -!- mode/##openvpn [+o ecrist] by ChanServ 10:57 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release OpenVPN 2.0.9 | Please use http://pastebin.com (or other) for >5 lines | Don't feed the trolls. 10:58 -!- mode/##openvpn [-o ecrist] by ecrist 11:00 < krzee> oh and today im going to jump down waterfalls! 11:00 < cpm> krzee, what concert? 11:00 < krzee> heh 11:00 < krzee> it was tipico 11:00 < krzee> i live in the caribbean 11:00 < krzee> but the bands are very popular here 11:01 < cpm> where in the carrib? 11:01 < krzee> msg'ed 11:01 < krzee> its privledged information 11:01 < cpm> Ah, cool! Only been there once, but I liked it. 11:01 < krzee> if i told you ild hafta kill you ;] 11:02 < krzee> ya its really nice 11:02 < cpm> yeah, but we can't talk about it. You'll have to kill me. 11:02 < krzee> hehe 11:02 < ecrist> lol 11:12 -!- pinchartl [n=User@49.198-78-194.adsl-static.isp.belgacom.be] has quit ["leaving"] 11:13 < cpm> ecrist, going back a bit, did you read the nice argument against including root CAs in browsers *at all*? 11:15 < rmull> Lol, oh lord. 11:18 < ecrist> cpm: which one? 11:19 < ecrist> I *thought* I read every line. 11:21 -!- eWizard [n=identd@88.222.138.61] has quit [Read error: 60 (Operation timed out)] 11:22 < cpm> umm, it's alluded to here: 11:22 < cpm> https://bugzilla.mozilla.org/show_bug.cgi?id=215243#c12 11:24 < cpm> I must confess, that since the death of cypherpunks, as in the real death, not the many many little deaths, I kinda stopped paying a lot of attention. 11:34 < ecrist> hrm, cacert.org was supposed to be included back in 2004 - looks like mozilla == fail 11:37 < krzee> interesting argument 11:38 -!- SilenceGold [n=chris@70.232.50.35] has quit [Read error: 104 (Connection reset by peer)] 11:38 -!- xattack [i=root@132.248.108.239] has joined ##openvpn 11:39 -!- SilenceGold [n=chris@70.232.50.35] has joined ##openvpn 11:39 < ecrist> xattack: you're not really connecting from your root account, are you? 11:39 < krzee> irc'in from root is bad mmmkay 11:39 < cpm> mmmkay 11:39 < SilenceGold> which irc client allows exploits? 11:39 < SilenceGold> I haven't seen one yet 11:40 < krzee> allows or happens to have had? 11:40 < krzee> there were some for bitchx iirc 11:40 < ecrist> SilenceGold: any client that allows for scripting. 11:40 * cpm fires up a nice dcc payload 11:40 < SilenceGold> only seen those who are foolish to run something like /run rm -rf /* 11:40 < krzee> http://www.google.com/search?hl=en&q=irc+client+exploit&btnG=Google+Search 11:41 < krzee> but that shouldnt even matter 11:42 < krzee> cause when people care about security they do nothing as root unless it needs root to be done 11:42 < krzee> regardless if its been proven something is vulnerable or not 11:45 < SilenceGold> I used to run irc as root 11:45 < SilenceGold> so I could make friends with smart people 11:45 < SilenceGold> when they exploit me...I became friends with them 11:45 * cpm chuckles 11:45 < SilenceGold> at least I didn't have a lame friend 11:45 < SilenceGold> :) 11:46 < krzee> hahaha 11:46 < krzee> alright im out, bbl 11:48 < xattack> ok im apologize for that , im still testing , so the easy way is using the same account 11:48 < ecrist> ok, it's a bad idea to do things like that as root. 11:49 < xattack> i know it ! .......i hope no one want to screw me up !!! 11:50 < krzee> while learning maybe use sudo to run a command with higher privileges when you need to 11:50 < krzee> like sudo rm -rf /protected/file 11:51 < krzee> then you are still only using 1 account, but it's not root 11:51 < krzee> http://www.gratisoft.us/sudo/man/sudo.html 11:51 < xattack> sudo .... i hate it , didnt like it since mac .......... 11:52 < krzee> huh? 11:52 < xattack> ...........long story 11:53 -!- xattack [i=root@132.248.108.239] has quit ["Leaving"] 11:54 < ecrist> I don't think he understands. 11:58 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:08 -!- mode/##openvpn [+o ecrist] by ChanServ 12:09 -!- mode/##openvpn [+b *!?=root@*] by ecrist 12:09 -!- mode/##openvpn [-o ecrist] by ecrist 12:30 -!- xattack [i=invitado@132.248.108.239] has quit ["byte!!"] 12:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:37 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 12:39 -!- Irssi: ##openvpn: Total of 32 nicks [0 ops, 0 halfops, 0 voices, 32 normal] 12:43 -!- Kaushal [n=Kaushal@59.184.24.251] has joined ##openvpn 12:43 < Kaushal> hi 12:44 < Kaushal> I am using Ubuntu 8.04 linux 12:44 < ecrist> hi 12:44 < Kaushal> whenever i have to connect to vpn, I need to add the route command on the command line 12:44 < Kaushal> is there a way to automate it 12:45 < ecrist> yes, it's discussed in the howto 12:46 < ecrist> but, your server admin should have pushed the routes to you. 12:46 < Kaushal> ecrist, can you please give me an example 12:46 < ecrist> first, why isn't your admin pushing the route? 12:47 < Kaushal> ecrist, I will definetly instruct him 12:48 < Kaushal> is there a way to do that 12:48 < ecrist> yes, it's a standard server config option 12:48 < ecrist> go to the howto and search for push_route 12:49 < Kaushal> sure 12:49 < Kaushal> http://openvpn.net/index.php/documentation/howto.html 12:50 < Kaushal> is that the one 12:50 < ecrist> yep 12:50 < Kaushal> ecrist, is it Pushing DHCP options to clients. 12:51 < ecrist> no 12:52 < ecrist> sorry, gave you wrong search string 12:52 < ecrist> push "1.2.3.4/cidr" 12:52 < cpm> bastard! 12:52 < ecrist> would be the option in the server config. 12:53 < ecrist> yeah, I already know I suck, cpm. Why you gotta rub it in? 12:53 * cpm hangs his head in shame 12:54 < Kaushal> ecrist, I will have a look into it 12:54 * ecrist runs away, throwing arms around, crying, in a fit of child-like humility. 12:54 < Kaushal> ecrist, as you said there is an option from the client side too 12:54 < Kaushal> to add the route 12:54 < cpm> man, I feel really bad now. 12:54 < ecrist> Kaushal: if that doesn't work, and it should, there is a way in the client config to execute a custom script after the vpn has come up. 12:54 * cpm kills himself. 12:55 * ecrist kills his wife, kid, parents, them himself. 12:55 < _aia_> why is it that I can connect to rdp fine on the vpn server but not other applications 12:55 < Kaushal> ecrist, if you can point me to some examples 12:55 < cpm> wow, you must really be ashamed. 12:55 * cpm bows to ecrist's most excellent shame 12:57 < ecrist> Kaushal: I think it's up script and down 12:57 < ecrist> down script* 12:58 < ecrist> where is the full path to the script to run - but let me check on that. 13:00 < ecrist> erm, I think it's just up/down 13:00 < Kaushal> ecrist, i did not understand 13:00 < Kaushal> is it in the GUI on the client side 13:01 < ecrist> Kaushal: it's in the config file, on the client side. 13:01 < Kaushal> ok 13:02 < ecrist> Kaushal: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbAP 13:04 * Kaushal read that page 13:04 * Optic moops 13:05 < Kaushal> ecrist, so on the client side where would be the location of config file 13:05 < Kaushal> not sure 13:05 < ecrist> Kaushal: usually in your c:\program files\OpenVPN\config 13:05 < Kaushal> thats windows 13:05 < ecrist> have your admin help you with this. 13:05 < Kaushal> I am using Ubuntu 13:06 < ecrist> well, then I don't know - it can vary. 13:06 < ecrist> Kaushal: what command do you use to build your vpn connection? 13:06 < rmull> Kaushal: Typical /etc/openvpn 13:06 < Kaushal> ecrist, I have used gui to connect to openvpn server 13:08 < ecrist> Kaushal: read the documentation for the gui, then. 13:09 < Kaushal> ecrist, thanks 13:10 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:12 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 13:22 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has quit [] 13:40 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:43 -!- Kaushal [n=Kaushal@59.184.24.251] has quit ["Leaving"] 13:47 * ecrist wants to go home. 13:47 < ecrist> FRIDAY! \o/ 13:54 < rmull> wewt 13:55 < ecrist> one 13:55 < ecrist> more 13:55 < ecrist> hour 14:20 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:20 -!- wwalker [n=wwalker@pdpc/supporter/sustaining/wwalker] has joined ##openvpn 14:20 < wwalker> does OpenVPN work on Vista, or should I just hang myself? I've just spent 3 hours trtying to get VMware working on a friend's Vista machine (he's 300 miles away, so I want to use OpenVPN to get to his machine via VNC) 14:24 < ecrist> wwalker: I think so. 14:34 < wwalker> ecrist: thank you. 14:35 < ecrist> np 14:44 < rob0> I think there are SSL-enabled VNC clients and servers, no? If that's all you need, openvpn is overkill. And if you just want to secure access to the VNC, a firewall can do that. 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 16:01 < ecrist> mmmm hot pockets 16:07 -!- epsilon [n=epsilon@raid1.net] has joined ##openvpn 16:08 -!- epsilon [n=epsilon@raid1.net] has left ##openvpn ["Leaving"] 16:08 -!- epsilon [n=epsilon@raid1.net] has joined ##openvpn 16:10 < ecrist> coming or going? :) 16:35 < SilenceGold> bring it 16:44 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:26 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:45 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 17:46 < ecrist> SilenceGold: if you didn't see my message yesterday, I've got svn running with ssl-admin code/etc committed. 17:46 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: chesty, linux_manju, wwalker 17:46 < ecrist> :) 17:48 -!- Netsplit over, joins: wwalker, linux_manju, chesty 17:48 -!- Alex [i=hauntedu@goatse.co.uk] has quit [Remote closed the connection] 17:51 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Remote closed the connection] 18:03 -!- int [n=quassel@wikia/int] has quit [Connection timed out] 18:08 -!- highzeth [n=highzeth@hoiseth.no] has quit ["Leaving."] 18:12 < SilenceGold> saw it, ecrist 18:12 < SilenceGold> like I said, I do best modifying something that someone already started 18:13 -!- Alex [i=hauntedu@goatse.co.uk] has joined ##openvpn 18:21 -!- Alex [i=hauntedu@goatse.co.uk] has quit [Remote closed the connection] 18:33 < ecrist> yeah, there's man pages there 18:33 < ecrist> trunk/ssl-admin/man1 and man5 18:54 -!- Alex [i=hauntedu@goatse.co.uk] has joined ##openvpn 19:00 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:08 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 19:18 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit ["Happy Hacking !"] 21:05 < rmull> Hey, was one of you working on a script that integrates cert management with active directory? Someone mentioned something about it a while ago. 21:37 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 21:37 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 21:37 -!- near [n=near@83-156-241-63.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-28-164.rev.libertysurf.net] has joined ##openvpn 21:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Remote closed the connection] 21:52 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 21:52 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 22:20 < ecrist> rmull: how would that work? 22:20 < ecrist> what would be the advantage of putting certs in ldap/ad? 22:20 < rmull> ecrist: Not so much "putting them in" as much as generating them based on the login IDs 22:21 < ecrist> oh, that would be pretty trivial, really. 22:21 < rmull> Yeah, I'm probably going to look into it. I've never worked with any sort of directory services. 22:21 < rmull> But assuming I can get a list of IDs, then I'm basically done, heh 22:21 < ecrist> right. 22:22 < ecrist> that's something I could roll into ssl-admin, to integrate with ldap/ad, build the certificate based on values stored there. 22:22 < rmull> Well, I'm all in favor :D 22:28 < ecrist> I'll add a ticket so I remember. 22:33 < krzee> hey nice 22:33 < krzee> i didnt know ssl-admin existed 22:33 < krzee> I'll have to give it a try sometime =] 22:33 < krzee> is it .sh? 22:33 < krzee> ahh nm, pl 22:33 < rmull> ecrist: Thanks man, I appreciate it 22:34 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has quit [Read error: 110 (Connection timed out)] 22:35 < ecrist> krzee: you don't like my perl foo? 22:35 < ecrist> o.O 22:35 < krzee> haha nothing wrong with perl =] 22:36 < ecrist> krzee: don't know what your OS of choice is, but I've had ssl-admin committed to the FreeBSD ports tree. 22:36 < krzee> didnt mean it to sound like that 22:36 < krzee> ya i see that =] 22:36 < krzee> fbsd is my fav for servers 22:36 < krzee> osx for desktop 22:36 < ecrist> ditto 22:36 < ecrist> I was done fucking with fbsd on the desktop about 5 years ago. 22:37 < krzee> nice 22:37 < krzee> ya i never gave it much of a shot 22:37 < ecrist> bought a G4 powerbook and never looked back. 22:37 < krzee> used windows for many yrs for desktop til 2 yrs ago when i scored a macbook 22:37 < krzee> then MBP 22:37 < krzee> couldnt go back 22:38 < krzee> my fbsd machines never run X 22:38 < krzee> except my NFS at home 22:38 < krzee> but only have X on there for multiple terms, and i tossed in a TV tuner card since cable comes with the inet 22:39 < ecrist> I don't own a machine that runs windows anymore, and have two servers that run freebsd. 22:39 < krzee> oh and so i wouldnt need a TV to watch my dvds from my dvd changer 22:39 < krzee> ya no windows for me either 22:39 < krzee> although i wanna tri-boot it so i can play with some of johnny lee's wii-remote hacks 22:39 < krzee> now i dual boot ubuntu and osx 22:40 < krzee> for the hell of it, i wanted to play with beryl/compiz 22:40 < krzee> i never boot into it tho 22:40 < ecrist> I've been playing with VirtualBox to run freebsd/kubuntu virtual machines on my mac 22:40 < krzee> just kinda cool to be able to 22:40 < ecrist> seems pretty solid 22:40 < krzee> hehe 22:40 < krzee> whoa never hearda virtualbox 22:40 < krzee> i use vmware and parallels 22:41 < krzee> i use backtrack in vmware to pentest wifi, works great with my usb adapters and whatnot 22:42 < krzee> once had a mortgage company tell me they wouldnt let me disable their WEP 22:42 < krzee> so i demonstrated cracking it in 5-10 min, then started showing them the traffic that was going over their wired network... needless to say they let me disable it 22:42 < ecrist> lol 22:44 < krzee> i wish i could afford a mac pro 22:45 < ecrist> they're grossly over priced. 22:45 < rmull> I'm extremely turned off by most things Apple Corp does. 22:46 < ecrist> but, time to give the wife some attention, watch a tivo'd copy of the olympic opening ceremony. 22:46 < ecrist> l8r guys 22:46 < krzee> later 22:46 < krzee> ya they're overpriced but soo sweet 22:46 < rmull> Have a good one 22:46 < krzee> and snow leopard will just be improvements to the multi-cpu tech 22:47 < krzee> and making everything slicker under the hood 22:48 < krzee> if i hit the lottery im so buying a mac pro 22:48 < rmull> Yeah, and people will stand in line outside all the Apple stores, and it will be happy times for everyone, etc etc. 22:48 < rmull> <_< 22:48 < krzee> ya! ;] 22:48 < rmull> Sorry. I think I'm Mac-racist. 22:48 < rmull> Lol 22:49 < krzee> i used to be 22:49 < krzee> back when they were good for graphics and door-stops --- Day changed Sat Aug 09 2008 00:11 < _aia_> haha 00:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:40 -!- _aia_ [n=_aia_@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 01:41 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 01:52 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 01:57 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 110 (Connection timed out)] 01:57 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has joined ##openvpn 02:02 -!- intangir [i=Intangir@c-98-197-217-152.hsd1.tx.comcast.net] has left ##openvpn [] 02:06 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 02:44 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has quit [Read error: 110 (Connection timed out)] 02:44 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has joined ##openvpn 03:18 -!- RexMundi [n=RexMundi@ip-80-113-156-106.ip.prioritytelecom.net] has quit [Read error: 104 (Connection reset by peer)] 03:20 -!- RexMundi [n=RexMundi@213.126.138.14] has joined ##openvpn 03:49 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 03:50 -!- RexMundi [n=RexMundi@213.126.138.14] has quit [Read error: 110 (Connection timed out)] 04:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 04:31 -!- afrayedknot [n=user@sourcemage/elder/afrayedknot] has quit [Read error: 60 (Operation timed out)] 04:33 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 04:45 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 06:28 -!- candyban [n=candyban@146.182-201-80.adsl-dyn.isp.belgacom.be] has joined ##openvpn 06:29 < candyban> hi guys, ... I have generated my keys (twice) already, but I can't seem to get a client to work (identical config to a client config that works) and I get : Aug 9 21:12:03 gwhome ovpn-eenderwat[4287]: Cannot load private key file /etc/openvpn/home.eenderwat.be.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 06:30 < candyban> anyone an idea? (according to google, this is often when you are using the .csr instead of the .crt, which is not the case) 06:30 < candyban> Also: the next entry is: Aug 9 21:12:03 gwhome ovpn-eenderwat[4287]: Error: private key password verification failed ... which is weird as I did not set a password (build-key rather than build-key-pass) 06:33 < candyban> openssl verify -CAfile ca.crt home.eenderwat.be.crt 06:33 < candyban> home.eenderwat.be.crt: OK 06:34 < candyban> openssl verify -CAfile ca.crt home.eenderwat.be.key 06:34 < candyban> unable to load certificate 06:34 < candyban> 4297:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: TRUSTED CERTIFICATE 06:37 < candyban> which is the same on the working client configuration 06:37 < candyban> the only difference is that one machine is a genuine intel while the other is a VIA 06:40 < candyban> but both are using the i386 architecture ... can anyone point me in the right direction as to where to look? 06:40 -!- eWizard [n=identd@77.90.91.188] has joined ##openvpn 06:42 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 06:53 < candyban> nm. I found the error 06:53 < candyban> the problem was that I had accidentally put the .crt as the key file (woops) 06:54 -!- candyban [n=candyban@146.182-201-80.adsl-dyn.isp.belgacom.be] has quit ["Leaving"] 07:12 < kraut> moin 08:06 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 08:07 < onats> hello,what's the best router i can use to setup two remote sites to connect to each other? a computer for each location/ 08:22 -!- eWizard [n=identd@77.90.91.188] has quit ["Leaving"] 08:48 < ecrist> morning, people. 08:48 < ecrist> onats: what do you mean by 'router'? 08:49 < ecrist> if it's just for an OpenVPN connection between two locations, a older PC with FreeBSD or Linux would be perfect. 09:37 -!- onats [n=onats@unaffiliated/onats] has quit ["Leaving"] 10:17 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 10:17 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 10:37 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Ex-Chat"] 10:37 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 10:53 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 11:27 -!- HaRRT [n=Arthur@193.227.226.84] has joined ##openvpn 12:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:22 < SilenceGold> I'm looking at this 100mhz soekris board 12:22 < SilenceGold> wondering if it can do good as openvpn client 12:23 < epsilon> 100mhz FSB or CPU? 12:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:29 < ecrist> SilenceGold: possibly - can you get the crypto card with it? 12:44 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Remote closed the connection] 12:52 < SilenceGold> I doubt it 12:52 < SilenceGold> I don't know of a crypto card that does SSL for openvpn yet 12:52 < SilenceGold> I really want the two ports one 12:52 < SilenceGold> where an idiot user can just plug it in 12:52 < SilenceGold> and not get confused by multiple ports 12:53 < SilenceGold> and I'm talking about 100mhz cpu 13:16 < ecrist> I think that would only be good for low-bandwidth. 13:18 < ecrist> gigabit ethernet can saturate a P4 2.4GHz if there's a ton of small packets. 13:21 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn ["Leaving"] 13:21 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 13:41 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 15:17 -!- st1650 [n=eb@modemcable137.154-130-66.mc.videotron.ca] has joined ##openvpn 15:18 < st1650> What does this error means : 15:18 < st1650> Sat Aug 09 07:46:44 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 15:18 < st1650> Sat Aug 09 07:46:44 2008 TLS Error: TLS object -> incoming plaintext read error 15:18 < st1650> Sat Aug 09 07:46:44 2008 TLS Error: TLS handshake failed 15:21 < ecrist> it means your TLS certificate is invalid 15:21 < ecrist> in other words, what you think is an SSL certificate, isn't. 15:22 < st1650> Couldn't it be a connection problem ? 15:22 < ecrist> no 15:23 < st1650> It's not the first time I've set up an openvpn box and I'm pretty sure I didn't mess up my cert generation 15:23 < ecrist> it looks like the local copy of the ca root certificate doesn't exist. 15:23 < ecrist> st1650: it's an openssl error, not an openvpn error. 15:23 < ecrist> check your work. 15:23 < st1650> The error is on the client side right ? 15:24 < ecrist> could be either, you tell me. 15:24 < ecrist> which side are you seeing the error on? 15:24 < st1650> because I've test on both my XP and my Win2K3 box ... server is on a DD-WRT firmware 15:24 < st1650> client side 15:24 < ecrist> what's the error log saying on the server? 15:25 < st1650> hold on ... 15:26 < st1650> No idea how to access the log on a dd-wrt router ... 15:32 < ecrist> me either, #dd-wrt might help you, there. 15:32 < ecrist> show me your client config. 15:33 < ecrist> nm, gotta go to a bbq. 15:33 < ecrist> good luck 15:33 < st1650> thx 15:33 < st1650> I'll try static key 15:54 -!- st1650 [n=eb@modemcable137.154-130-66.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 16:40 -!- linux_manju [n=manju@202.122.23.18] has quit ["Lost terminal"] 16:41 -!- tharvey|home [n=tharvey@76.205.222.173] has joined ##openvpn 16:42 < tharvey|home> how can I get a dns server/search-name added to my local host when connecting to an openvpn server? 17:01 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 17:08 -!- tharvey|home [n=tharvey@76.205.222.173] has quit [Read error: 104 (Connection reset by peer)] 17:11 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:35 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 17:39 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 18:24 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 18:24 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 18:25 < krzie> !learn 18:25 < vpnHelper> krzie: Invalid arguments for learn. 18:25 < krzie> sweet 18:25 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Client Quit] 19:38 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 19:39 < krzie> !learn krzee as http://www.ircpimps.org/pimpin.jpg 19:39 < vpnHelper> krzie: The operation succeeded. 19:39 < krzie> !krzee 19:39 < vpnHelper> krzie: "krzee" is http://www.ircpimps.org/pimpin.jpg 19:40 < krzie> !learn howto as OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:40 < vpnHelper> krzie: The operation succeeded. 19:40 < krzie> http://openvpn.net/howto 19:40 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 19:40 < krzie> heh, nice 19:40 < krzie> !howto 19:40 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:47 < krzie> !quit be right back 19:47 < vpnHelper> krzie: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:47 < krzie> heh 19:47 < krzie> !quit be right back 19:47 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit ["be right back"] 19:48 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 19:48 < krzie> there, now its in the background 19:49 < krzie> ill consider adding some openvpn RSS feeds to it, but i think this config is the least obtrusive to the channel while still helping us 19:54 < krzie> !learn tcp as Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:54 < vpnHelper> krzie: The operation succeeded. 19:56 < krzie> !learn nat as http://openvpn.net/howto.html#redirect 19:56 < vpnHelper> krzie: The operation succeeded. 19:57 < krzie> !learn secure as http://openvpn.net/howto.html#security 19:57 < vpnHelper> krzie: The operation succeeded. 19:57 < krzie> http://openvpn.net/howto.html#security 19:57 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 19:57 < krzie> heh i love that 20:01 < krzie> !learn bridge as http://openvpn.net/index.php/documentation/faq.html#bridge1 20:01 < vpnHelper> krzie: The operation succeeded. 20:01 < krzie> !learn bridge as http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 20:01 < vpnHelper> krzie: The operation succeeded. 20:02 < krzie> !bridge 20:02 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 20:03 < krzie> !learn faq as http://openvpn.net/index.php/documentation/faq.html 20:03 < vpnHelper> krzie: The operation succeeded. 20:06 < krzie> !learn sample as a working sample config: http://www.ircpimps.org/openvpn.configs 20:06 < vpnHelper> krzie: The operation succeeded. 20:07 < krzie> !sample 20:07 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:08 < krzie> !learn secure as http://openvpn.net/index.php/documentation/security-overview.html 20:08 < vpnHelper> krzie: The operation succeeded. 20:08 < krzie> !secure 20:08 < vpnHelper> krzie: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 20:10 < krzie> !weather 20:10 < vpnHelper> krzie: (weather ) -- Returns the approximate weather conditions for a given city. 20:10 < krzie> !weather 92109 20:10 < vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information. 20:10 < krzie> heh 20:10 < krzie> !weather 92109 20:10 < vpnHelper> krzie: An error has occurred and has been logged. Please contact this bot's administrator for more information. 20:14 < krzie> !google openvpn howto 20:14 < vpnHelper> krzie: Error: Code red: 400 -> invalid key 20:15 < krzie> !google openvpn 20:15 < vpnHelper> krzie: Error: Code red: 400 -> invalid key 20:15 < krzie> !qgoogle openvpn 20:15 < vpnHelper> krzie: Error: The "QGoogle" plugin is loaded, but there is no command named "openvpn" in it. Try "list QGoogle" to see the commands in the "QGoogle" plugin. 20:15 < krzie> !qgoogle search openvpn 20:15 < vpnHelper> krzie: Error: The "QGoogle" plugin is loaded, but there is no command named "search" in it. Try "list QGoogle" to see the commands in the "QGoogle" plugin. 20:15 < krzie> !list qgoogle 20:15 < vpnHelper> krzie: google 20:15 < krzie> !qgoogle google openvpn 20:15 < vpnHelper> krzie: Error: Code red: 400 -> invalid key 20:16 < krzie> bleh i guess ill reg a key for that 20:18 < krzie> !quit be right back 20:18 < vpnHelper> krzie: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:18 < krzie> !quit be right back 20:18 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit ["be right back"] 20:20 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 20:21 < krzie> !google openvpn 20:21 < vpnHelper> krzie: http://openvpn.net/ - Welcome to OpenVPN 20:21 < krzie> !google openvpn help 20:21 < vpnHelper> krzie: http://fedoraforum.org/forum/archive/index.php/t-81907.html - OpenVPN Help 20:21 < krzie> niiice 20:21 < krzie> !seen krzee 20:22 < vpnHelper> krzie: I have not seen krzee. 20:22 < krzie> !seen krzie 20:22 < vpnHelper> krzie: krzie was last seen in ##openvpn 6 seconds ago: !seen krzee 20:27 -!- krzie [i=krzee@unaffiliated/krzee] has quit ["BitchX: causing all sorts of havok!"] 21:38 -!- near [n=near@88-122-28-164.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-31-232.rev.libertysurf.net] has joined ##openvpn 22:18 -!- solexious [n=solexiou@80-44-168-226.dynamic.dsl.as9105.com] has joined ##openvpn 22:18 < solexious> Hello any one free to help me with my bridge server config? 22:52 < ecrist> krzee: couple suggestions - could you echo the reply via /msg to keep chan traffic down? 22:53 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 22:53 < mooseman089> hey 22:53 < ecrist> also, could you test out of band? 22:53 < ecrist> mooseman089: hey 22:53 < mooseman089> do i need 2 nics to make a openvpn server in bridging mode? 22:54 < ecrist> no 22:54 < ecrist> generally, anyway 22:55 < mooseman089> yea well i have a dedicated linux firewall to bridge my lan to the internet via nat and i forwarded 1194 udp to a spare system which will be the server 22:55 < ecrist> mooseman089: should work just fine 22:55 < ecrist> we're doing a routed setup with one interface 22:55 < ecrist> same difference, really. 22:56 < ecrist> but, why not run the OpenVPN instance on your firewall 22:56 < ecrist> g'night 22:57 < mooseman089> ok is it normal that when i run /usr/sbin/bridge-start (with my changes) that i lose network connectivity? 22:57 < mooseman089> well i can still access systems on the same subnet but not ping google or anything 23:04 < mooseman089> anybody here? --- Day changed Sun Aug 10 2008 00:36 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 00:57 < solexious> I get the same thing 00:57 < mooseman089> im glad im not alone 00:58 < solexious> what flavour oflinux you using? 00:58 < mooseman089> debian 00:58 < mooseman089> u? 00:58 < solexious> a, ubuntu here so almost the same 00:59 < mooseman089> yea im making some progress i think 00:59 < mooseman089> is your client windows? 00:59 < solexious> nope, ubuntu as well 01:00 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:00 < mooseman089> ok 01:01 < mooseman089> check this out http://zzzmaestro.wordpress.com/2008/07/22/openvpn-bridging-two-networks/ 01:01 < vpnHelper> Title: OpenVPN - Bridging two networks « Tech Stuff (at zzzmaestro.wordpress.com) 01:02 < mooseman089> i think the whole modifing the bridge-start with the route add default gw might be important 01:07 < mooseman089> did you try it? 01:08 < solexious> nope wll do 01:08 < mooseman089> yea for me i can then ping google.com which is good 01:10 < mooseman089> but i connected my client and i cant seem to use anything on the lan like it was working 01:26 -!- solexious [n=solexiou@80-44-168-226.dynamic.dsl.as9105.com] has quit [Read error: 110 (Connection timed out)] 02:31 < mooseman089> does debian have a tap device by default? 02:45 < krzee> ecrist, the reply is most often not meant for the person who will say it 02:46 < krzee> ecrist, you may have noticed that we usually answer the same questions over and over in here 02:46 < krzee> or say the same things 02:46 < krzee> !howto 02:46 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:46 < krzee> etc 02:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 03:06 < mooseman089> in my openvpn log im getting the error "Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)" im on debian with bridge-utils installed 03:10 < krzee> you sure you have the tun/tap driver? 03:11 < krzee> and it is loaded if it is a module 03:11 < mooseman089> if i do lsmod i see bridge and tun 03:13 < mooseman089> is tap in that tun module or do i need something else? 03:13 < krzee> its the same 03:13 < mooseman089> hmmm any ideas whats wrong? 03:15 < krzee> ifconfig shows the bridge? 03:16 < krzee> !google "Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2)" 03:16 < mooseman089> yea 03:18 < krzee> interesting the bot didnt bite 03:18 < krzee> !google Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 03:18 < mooseman089> yea well i have been doing a lot of googling but i havent found a solution yet and its driving me crazy 03:20 < krzee> openvpn --mktun --dev tap0 03:20 < krzee> done that? 03:20 < mooseman089> no i havent should i? 03:21 < krzee> i believe so 03:21 < krzee> i dont use bridge 03:21 < krzee> and it has been too long since i have 03:21 < mooseman089> i think that command is run with teh bridge-start script? 03:21 < krzee> just to ask, why do you want a bridge? 03:21 < mooseman089> i need to browse samba shares and lan games 03:22 < krzee> gotchya 03:22 < krzee> valid reasons =] 03:22 < mooseman089> yea its not as easy as i planned though thats for sure 03:22 < krzee> ya i find routed much easier 03:23 < krzee> http://forum.openwrt.org/viewtopic.php?id=5264 03:23 < vpnHelper> Title: OpenWrt / Creating OpenVPN using bridge interfaces (at forum.openwrt.org) 03:23 < krzee> seen that right? 03:23 < mooseman089> yea the default bridge-start script didnt work for some reason i had to modify it with a route add default gw so when it ran i could still get to the internet 03:25 < mooseman089> yea i think i saw that link but ill look at it again 03:25 < mooseman089> even with my missing tap device error my win client can still connect but it cant access anything on the lan so the vpn isnt working 03:26 < krzee> you have tun driver loaded 03:26 < krzee> you have run the command i pasted 03:26 < krzee> tap0 is in ifconfig? 03:28 < mooseman089> i ran the command and i see tap0 in ifconfig but the log still gets the error after a restart and teh vpn isnt working 03:29 < krzee> try killing the bridge and restarting it manually 03:29 < krzee> ls -l /dev/tap* 03:30 < krzee> <-- only here for another couple minutes, then movie time 03:30 < mooseman089> yea its 4:30am here so i have to sleep eventually.... 03:30 < mooseman089> ls gets no such file or directory 03:30 < krzee> ya same time here 03:30 < mooseman089> after should i kill and restart manually? 03:30 < krzee> theres no error when you run the command i typed? 03:31 < krzee> (openvpn --mktun --dev tap0) 03:31 < krzee> and after that theres no /dev/tap) 03:31 < krzee> and after that theres no /dev/tap0 03:32 < mooseman089> i just get tun/tap device tap0; persist state set to: ON 03:32 < mooseman089> yea no /dev/tap0 after 03:32 < krzee> but after that there is no /dev/tap0 03:32 < krzee> odd 03:32 < krzee> you are root... 03:32 < mooseman089> lol i was just typing fyi all this is in root 03:34 < mooseman089> i shutdown openvpn and now there is only eth0 and lo in ifconfig 03:34 < krzee> ahh 03:34 < krzee> then run my command 03:34 < mooseman089> yea i just tried and still nothing in ifconfig or /dev/tap0 03:36 < mooseman089> what else could i try? 03:36 < krzee> ls /dev/net/ 03:36 < mooseman089> tun 03:37 < krzee> modeprobe tun 03:37 < krzee> modprobe tun 03:37 < mooseman089> ok i didnt say anything after i ran it 03:38 < krzee> then the command...? 03:38 < mooseman089> i did the --mktun but nothing in /dev still 03:40 < krzee> !bridge 03:40 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:42 < mooseman089> yea i have seen both of those pages 03:42 < krzee> =/ 03:42 < krzee> i dont know, when you find the problem please let me know so i can maybe help the next bridge user 03:43 < mooseman089> yea im going to keep working with this i bet its something simple im just totally missing.... 03:43 < krzee> could be 03:44 < krzee> has to do with getting your OS to load the tap interface 03:44 < krzee> but im sure you knew that 03:44 < mooseman089> yea i thought my clean debian system would be perfect but im having second thoughts now 03:46 < mooseman089> do you think i need to do any like mknod commands? 03:46 < mooseman089> like here http://forums.gentoo.org/viewtopic-t-184737.html 04:08 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 05:57 -!- chayane [n=malana@unaffiliated/chayane] has joined ##openvpn 06:10 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 06:18 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 07:07 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 08:55 -!- kralor [n=kralor@hackincorp.net] has joined ##openvpn 08:55 < kralor> o/ 08:57 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 09:01 -!- kaushal [n=kaushal@59.184.10.118] has joined ##openvpn 09:01 < kaushal> hi 09:02 < kaushal> i want to add this sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 while I am connecting to openvpn 09:02 < kaushal> is there a way to add it in the client side 09:04 < kaushal> anybody awake here 09:18 < kaushal> :/ 09:55 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Remote closed the connection] 10:19 -!- wwalker [n=wwalker@pdpc/supporter/sustaining/wwalker] has left ##openvpn [] 10:31 -!- HaRRT [n=Arthur@193.227.226.84] has quit [Read error: 104 (Connection reset by peer)] 10:44 < kaushal> ecrist, hi 10:44 < kaushal> ecrist, yt ? 11:11 -!- kaushal [n=kaushal@59.184.10.118] has quit ["Leaving"] 12:05 -!- chayane [n=malana@unaffiliated/chayane] has quit [Read error: 110 (Connection timed out)] 12:05 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 12:42 -!- mooseman089 [n=alex@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:45 < mooseman089> is it possible to migrate openvpn server to another system by just copying all the keys and config files over? 13:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 13:25 -!- mooseman089 [n=alex@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Ex-Chat"] 13:31 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 13:51 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 14:01 < krzee> ecrist, here? 14:01 < mooseman089> hello 14:01 < krzee> hey moose 14:01 < krzee> [13:45] is it possible to migrate openvpn server to another system by just copying all the keys and config files over? 14:01 < krzee> yes 14:01 < krzee> just install it on the other one first 14:02 < mooseman089> yea i just tried moving my whole openvpn setup to another ubuntu system and same errors 14:02 < krzee> the keys and configs are platform independent except for a couple small things special for windows 14:02 < krzee> by whole setup you mean binaries and whatnot? 14:03 < mooseman089> well i did apt-get install on the system and just moved over /etc/openvpn 14:03 < krzee> ... what is in your /etc/openvpn 14:03 < mooseman089> just the conf file and keys 14:04 < krzee> what errors do you get? 14:05 < mooseman089> the tap0 one i had on my first server 14:06 < mooseman089> the first was debian this one is ubuntu so this could be a debian problem still 14:06 < krzee> oh well you get the same errors as before 14:06 < krzee> heheh thats kinda expected 14:06 < krzee> you use the same thing to do the same thing, and the same thing happens 14:06 < mooseman089> lol i was hopeful.... 14:06 < krzee> hah 14:07 < mooseman089> i thought maybe a long time ago i did something on the first server to ruin it.... 14:07 < mooseman089> though i might have a solution soon http://ubuntuforums.org/showthread.php?p=5561454 14:07 < vpnHelper> Title: [ubuntu] Problems with OpenVPN and bridging - Ubuntu Forums (at ubuntuforums.org) 14:12 < krzee> !learn insanity as doing the same thing over and over expecting different results 14:13 < krzee> sorry not directed at you, seems like a fun definition to have on the bot 14:13 < krzee> hehe 14:15 < krzee> !quit brb 14:16 -!- vpnHelper [i=vpn@joogot.noskills.net] has quit [Remote closed the connection] 14:16 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 14:16 < krzee> !learn insanity as doing the same thing over and over expecting different results 14:16 < vpnHelper> krzee: The operation succeeded. 14:18 < krzee> ahh cool it looks like you found your answer 14:18 < krzee> (kinda, not yet) 14:19 < krzee> i look forward to seeing it too (but im sure not as much as you do right now) 14:19 < krzee> hehe 14:24 < krzee> !quit brb with new host 14:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["brb with new host"] 14:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 14:40 -!- rsc [n=robert@fedora/rsc] has joined ##openvpn 14:40 < rsc> Hello folks, openvpn 2.1rc9 seems to be unusable here for me. 14:41 < rsc> Aug 10 21:15:47 int-fw openvpn[22164]: x.y.z.a:1194 Verify command failed to execute: openssl verify -CAfile /etc/openvpn/PCAcert.pem 2 /C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=PRIVATE/OU=Certification_Authority/CN=Root_Certification_Authority/emailAddress=pca@localhost 14:41 < rsc> with openvpn 2.1rc2 this worked, script-security 3 is already set to avoid problems with that. 14:41 < krzee> both sides are 2.1rc2? 14:42 < rsc> let me see. 14:42 < rsc> (was there an incompatibility between rc2 and rc9?) 14:43 < krzee> no idea 14:43 < krzee> also, you tried a strace / ktrace to see where the problem happens? 14:43 < rsc> looks like the shell expansion (?) or so is strange. 14:44 < krzee> looks like it has to do with tls-verify 14:44 < rsc> because if I try to put the command on the shell, I'm getting also errors. 14:44 < rsc> yes. 14:44 < krzee> paste both your configs 14:44 < rsc> btw, client is 2.1rc8, server was 2.1rc2 in working state. client is 2.1rc8, server is 2.1rc9 when failures. 14:46 < rsc> server is http://fpaste.org/paste/4587 14:46 < vpnHelper> Title: Fedora Pastebin - Viewing paste #4587 (at fpaste.org) 14:46 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 14:46 < rsc> client is nothing special, can't access it from here, is at colleagues notebook which has the connection problems ;) 14:46 < rsc> but's something simple, just the host and so on. 14:47 < rsc> (at least it affects all clients, but I've got only one colleague more or less around currently) 14:48 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 14:48 < krzee> tls-verify "openssl verify -CAfile /etc/openvpn/PCAcert.pem" 14:48 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 14:48 < rsc> yes 14:48 < rsc> but that worked for ages now. 14:48 < krzee> you using chroot? 14:49 < rsc> no, no chroot. 14:50 < rsc> upgrade from 2.1rc2 to 2.1rc9 was just a version bump in the build script. Same parameters, same options etc. 14:53 < krzee> brb from krzie 14:54 < rsc> ok 15:00 < rsc> Ideas? 15:18 < krzie> im checking it out, never seen tls-verify 15:19 < rsc> hehe. 15:19 < rsc> Unluckily it isn't my setup, was setup by a student here. 15:20 < rsc> the only thing, I would see as relevant is the switch of openvpn from system() to execve() in the changelog 15:20 < rsc> maybe I should build exactly that version before the switch and re-check 15:23 < krzie> try just commenting it out 15:24 < rsc> commenting it out, makes it work. 15:24 < rsc> (regarding tls-verify) 15:24 < krzie> cool, that way we're 100% its that 15:24 < rsc> why is there no rc8 tarball? 15:24 < krzie> tried putting that in a script instead of calling openssl from there? 15:24 < krzie> there = config 15:26 < krzie> can you paste that pastebin link again pls 15:27 < rsc> http://fpaste.org/paste/4587 15:27 < vpnHelper> Title: Fedora Pastebin - Viewing paste #4587 (at fpaste.org) 15:27 < rsc> why is there no rc8 tarball of 2.1? 15:27 < krzie> *shrug* 15:27 < rsc> personally I'm _very_ sure it's a rc9 regression caused by system() vs. execvp() 15:28 -!- FurnaceBoy [n=toby@189.71.173.157] has joined ##openvpn 15:29 < krzie> have you tried putting "openssl verify -CAfile /etc/openvpn/PCAcert.pem" 15:29 < krzie> without ", in a script 15:29 < rsc> I didn't put it in a script, because I think, it requires STDIN 15:29 < krzie> and just calling tls-verify script 15:30 < krzie> # Use a tls-verify script or plugin to accept/reject the server connection based on a custom test of the server certificate's embedded X509 subject details. 15:30 < krzie> from the howto 15:33 < krzie> http://openvpn.net/archive/openvpn-devel/2006-11/msg00022.html 15:33 < vpnHelper> Title: [Openvpn-devel] ovpnCNcheck -- an OpenVPN tls-verify script (at openvpn.net) 15:34 < krzie> About the script: 15:34 < krzie> This script checks if the peer is in the allowed 15:34 < krzie> user list by checking the CN (common name) of the 15:34 < krzie> X509 certificate against a provided text file. 15:34 < krzie> For example in OpenVPN, you could use the directive 15:34 < krzie> (as one line): 15:34 < krzie> tls-verify "/usr/local/sbin/ovpnCNcheck.py 15:34 < krzie> /etc/openvpn/userlist.txt" 15:36 < rsc> okay so far, the stuff worked, rc9 breaks it somehow. 15:36 < rsc> so this is IMHO a openvpn problem, not a configuration one. 15:43 < krzie> so you dont want to try that? 15:43 < krzie> if you believe it is a problem in the openvpn code post to the openvpn-devel list 15:44 < krzie> !google openvpn mail list 15:45 < krzie> !learn mail as http://sourceforge.net/mail/?group_id=48978 15:45 < krzie> grr 15:46 < rsc> ;) 15:47 < rsc> I'm trying rc8 first. If rc8 works, rc9 contains a regression, simple thing. 15:47 < mooseman089> hey im back 15:47 < krzie> mooseman089, did that person reply in the forum yet? 15:48 < mooseman089> nope im waiting eagerly for it though 15:58 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 16:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:02 < krzie> !learn mail as http://sourceforge.net/mail/?group_id=48978 16:02 < vpnHelper> krzie: The operation succeeded. 16:03 < mooseman089> i dont know how that --mktun command could run fine but the /dev/tap0 isnt there.... 16:10 < krzie> try compiling tuntap into kernel instead of module 16:11 < mooseman089> i have played with linux a lot but never tried recompiling a kernel :/ 16:11 < krzie> could be time ;] 16:11 < FurnaceBoy> any hints on a client (winxp) that abruptly stops TLS handshaking... ta.key is in use... certificate is valid. many other clients using same server without problems. 16:11 < FurnaceBoy> i checked the list @ the FAQ 16:11 < FurnaceBoy> no server issue exists, must be client... 16:12 < krzie> FurnaceBoy, firewall? 16:16 < FurnaceBoy> krzie looking into that on the windows end... but not likely (since user hasn't changed it) 16:16 < FurnaceBoy> krzie, in fact doesn't know how to. :| 16:17 < FurnaceBoy> any other common causes? anyone experiencing isp port filtering at client end, etc? 16:17 < krzie> by default it wants to firewall 16:17 < krzie> and i believe after disabling it there is a big windows red shield saying click here to re-enable 16:17 < krzie> i dont use windows so im not 100% but i remember something like that 16:17 < mooseman089> yea i think krzie is right 16:18 < FurnaceBoy> krzie ok. no response from user on this question yet. :| 16:18 < FurnaceBoy> but the weird thing is they haven't changed anything. just tls stopped negotiating. and *something* is hitting the server since its logs note the failed negotiation. 16:18 < FurnaceBoy> so the firewall isn't blocking everything (if it's active) 16:18 < krzie> even if they say "no i didnt click anything" half the time that means "yes i clicked everything in the world" 16:18 < FurnaceBoy> :) 16:18 < krzie> its best if you can aquire the machine and check stuff yourself 16:19 < FurnaceBoy> not a chance; they're in another country far far away :) 16:19 < krzie> ouch 16:19 < krzie> remote desktop? 16:19 < FurnaceBoy> i prefer not even to touch windows even at that remove. :) 16:19 < FurnaceBoy> i'm hoping they'll confirm or deny firewall soon. 16:20 < krzie> i prefer not to touch windows, but sometimes you gotta 16:20 < FurnaceBoy> big thick rubber gloves! 16:20 < krzie> you should walk them through verifying if its up then 16:20 < krzie> (firewall, for the interface) 16:20 < FurnaceBoy> i'm really suspecting isp shenanigans, they;re in a ... tightly controlled jurisdiction. 16:20 < krzie> ohhh 16:20 < krzie> wher? 16:21 < krzie> thing is, they're able to start the process 16:21 < FurnaceBoy> if this were anywhere but irc, i'd say. :) 16:21 < FurnaceBoy> yes 16:21 < FurnaceBoy> definitely 16:21 < FurnaceBoy> and i can watch the server logs 16:21 < krzie> whereas a firewall blocking on the tun interface could do it 16:21 < FurnaceBoy> i see the failure there, so it's not like all packets are missed 16:21 < FurnaceBoy> hm ok 16:23 < krzie> are you using tcp to avoid the country's firewall? 16:23 < krzie> cause tcp connections over links with latency can have a hard time connecting... 16:23 < krzie> not always, but can intermittenly 16:25 < FurnaceBoy> udp 16:26 < FurnaceBoy> it's used from several countries (5 off the top of my head) 16:26 < FurnaceBoy> this is the first undiagnosable problem which is why i suspect funny business in local networks 16:26 < FurnaceBoy> somebody throwing a spanner into sniffed tls negotiations? (guessing) 16:26 < FurnaceBoy> i should say *so far* undiagnosed 16:27 < krzie> im thinking its a local issue on the winbox 16:28 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 16:28 < FurnaceBoy> hope so. 16:33 < krzie> other thing is the client may have better error log 16:37 < krzie> !quit brb 16:37 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["brb"] 16:37 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:44 < rsc> krzie: it's a regression of 2.1rc8 -> 2.1rc9 16:44 < rsc> krzie: looks like the change from system() -> execvp() is just crappy work ;) 16:51 < krzie> gotchya, and changing it to a script in rc9 doesnt help any? 16:52 < krzie> (seeing as the docs say it runs a script or plugin, seems worth giving a shot) 16:55 < krzie> if that doesnt fix it, ild submit a bug report to the dev list 17:01 < rsc> krzie: script didn't change anything here 17:01 < rsc> krzie: I already opened up a bug report for Fedora. But you can do an upstream one, if you like. 17:02 < rsc> krzie: feel free to reference https://bugzilla.redhat.com/show_bug.cgi?id=458600 from Fedora. 17:02 < vpnHelper> Title: Bug 458600 Verify command failed to execute: openssl verify -CAfile /etc/openvpn/PCAcert.pem (at bugzilla.redhat.com) 17:03 < krzie> that wont get anything done 17:03 < krzie> fedora doesnt develop openvpn 17:03 < krzie> !mail 17:03 < vpnHelper> krzie: "mail" is http://sourceforge.net/mail/?group_id=48978 17:04 < krzie> if you dont tell the right devs, dont expect it to be fixed 17:04 < rsc> krzie: the Fedora OpenVPN maintainer is responsible for handling upstream things. 17:04 < krzie> personally, i wont be using tls-verify and dont plan on it, so i think you have more reason than me to report it to them 17:04 < krzie> i dont get it, you think its a fedora bug or openvpn bug? 17:05 < rsc> it's an OpenVPN one. But first I've to stop 2.1rc9 on its way into Fedora -> Fedora Bug report 17:06 < rsc> after that, the Fedora maintainer of OpenVPN catches the report and will push the issue upstream/Cc me and so on. 17:06 < krzie> *shrug* whatever makes you happy 17:06 < rsc> krzie: just the regular distribution workflow...confusing, I know. But working and proofed a lot of times 17:07 < krzie> nah i understand what you're saying, but seems more logical to tell the openvpn devs if you care (i dont so ill let the subject die here) 17:08 < rsc> yes, this happens next. 17:08 < rsc> either by me or the Fedora package maintaner 17:08 < rsc> *maintainer 17:08 < krzie> cool, glad you got it workin 17:09 < krzie> !learn tls-verify as seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600 17:09 < vpnHelper> krzie: The operation succeeded. 17:17 < mooseman089> krzie how intense is compiling the kernel? 17:18 < krzie> i dont run linux but its easy in freebsd and i see more people that are new to *nix using linux so i imagine its easy there too 17:18 < krzie> all you gotta do is read the manual 17:18 < mooseman089> hmm ok if i dont get a response in like a hour ill look into compiling 17:19 < krzie> i saw it fixed some other peoples problem when they got the same error as you 17:19 < krzie> in one of the links i posted last night i think 17:19 < mooseman089> oh ok 17:19 < mooseman089> i just dont know why that module wouldnt be working.. 17:20 < krzie> nor do i, but thats before openvpn, mre of an OS+module thing 17:20 < mooseman089> yea i agree 17:23 < FurnaceBoy> mooseman089, basic advice, do a thorough hardware checklist before you start. what distro? 17:23 < FurnaceBoy> mooseman089, and make sure you have a fallback kernel (i.e. don't replace your working one, evah!) 17:24 < krzie> FurnaceBoy he just wants to compile in tuntap (but the backup kernel is great advice) 17:24 < mooseman089> yea im thinking i might make a drive image first just incase of a complete failure 17:25 < FurnaceBoy> mooseman089, unlikely! 17:25 < mooseman089> i hope your right 17:25 < FurnaceBoy> mooseman089, you might try and find the exact config for the kernel you're running. 17:25 < FurnaceBoy> I configure mine from scratch so I don't know where to look on your distro. 17:26 < mooseman089> ok 17:26 < FurnaceBoy> and get the same source version, if possible 17:26 < FurnaceBoy> since you know it's working 17:26 < krzie> mooseman089 by distro he means which linux do you run? 17:27 < FurnaceBoy> hehe 17:27 < mooseman089> well i could either do this on a debian or ubuntu system both fully updated 17:27 < FurnaceBoy> jargon, sorry 17:27 < FurnaceBoy> mooseman089, the other approach is to keep exactly your current kernel, and just build as a module. 17:27 < FurnaceBoy> ultra conservative but possibly no easier 18:56 -!- mzanfardino [n=mark@astound-64-85-228-83.ca.astound.net] has joined ##openvpn 18:56 < mzanfardino> question regarding setting up the vpn: can you route 192.168.x.x over a vpn? I had thought 192.168.x.x was non-routable... 18:57 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 19:12 < FurnaceBoy> mzanfardino, it's 'non routable' on the public internet. 19:12 < FurnaceBoy> mzanfardino, what you do in the privacy of your own home is your business. :) 19:12 < krzie> right, its reserved for lan use, like a vpn for example 19:14 < mzanfardino> right. that's my understanding as well. Bare in mind that I'm new to openvpn and I'm attempting to troubleshoot a newly created vpn server. I just want to eliminate this as an issue. So to recap, if my home network is in the 192.168 range and I connect to it from outside via openvpn, i should have no problem pinging active machines in the 192.168 range from the system on the outside with the open vpn connection, right? 19:19 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 19:20 < FurnaceBoy> mzanfardino, I believe openvpn has that capability, though I've never configured it 19:20 < FurnaceBoy> mzanfardino, it's not default (afaik) 19:22 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 19:26 < mzanfardino> hmm... ok, well, I'm working with someone on #dd-wrt as it's dd-wrt that's my openvpn server 19:27 < krzee> mzanfardino, you are using routed tun? 19:27 < krzee> as long as the 2 lans are in different subnets, no problem 19:27 < krzee> !configs 19:27 < vpnHelper> krzee: Error: "configs" is not a valid command. 19:27 < krzee> !config 19:27 < krzee> !sample 19:27 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:28 < mzanfardino> tap actually 19:29 < krzee> for windows share browsing? 19:29 < mzanfardino> no windows. strictly linux 19:29 < krzee> then why do you need tap? 19:29 < krzee> !bridge 19:29 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 19:30 < krzee> !learn bridge as if you dont know why you need a tap bridge, you probably want a routed tun 19:30 < mzanfardino> yikes. I was afraid a question like this might come up. I don't have a clue. The history, if you can bare with me a second is this: we have just installed openvpn at work. I want the same capability here at home. I've flashed my router with dd-wrt as it has openvpn integrated. I'm configuring my home vpn to look like the work vpn. However, I did not choose tap vs. tun at work and really don't know the difference. 19:31 < krzee> ahh 19:31 < krzee> http://openvpn.net/index.php/documentation/faq.html#bridge1 19:31 < vpnHelper> Title: FAQ (at openvpn.net) 19:31 < rob0> cool, we have a bot! 19:31 < rob0> krzee, yours? 19:31 < mzanfardino> ok, so I need to RTFM... ;) 19:31 < krzee> aye, its new... still working out some bugs 19:32 < krzee> mzanfardino, you likely want routed 19:32 < krzee> less overhead and as far as im concerned, it is easier 19:32 < krzee> !krzee 19:32 < vpnHelper> krzee: "krzee" is http://www.ircpimps.org/pimpin.jpg 19:32 < mooseman089> yea trust me bridge is annoying... 19:32 * FurnaceBoy uses routed 19:33 < krzee> rob0, !learn as , then you can !keyword to pull it up 19:33 < rob0> Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 19:33 < rob0> yeah I've seen bots like that 19:33 < krzee> werd 19:34 < krzee> !bridge 19:34 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 19:34 < krzee> !learn bridge as Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 19:34 < rob0> nice hat krzee :) 19:34 < krzee> hrm i wonder why it only wants 2 definitions 19:34 < krzee> oh well ill worry bout that later 19:34 < mzanfardino> krzee: on a complete aside, I have both that hat and the cane! :) 19:34 < krzee> hahaha 19:34 < krzee> nice 19:34 < krzee> time for me to go use up a little of this hash oil 19:34 < krzee> lol 19:35 < rob0> you can probably do "!forget factoid" 19:35 < mzanfardino> krzee: got them for my birthday this year to celebrate A Pimp Named Slickback... an alter ego of mine... blatantly stolen from Boondocks. 19:35 < krzee> someone may want to let mzanfardino know about the need to either run openvpn on his gateway of the lan he wants to ping through, or to add the route to said gateway 19:35 < krzee> i would but gotta go 19:35 < krzee> adios all! 19:36 < mooseman089> cya 19:36 < mzanfardino> ah 19:36 < mzanfardino> hmm 19:36 < mzanfardino> ok 19:51 < mooseman089> if i were to use ip routing i could still type in any address to a browser for an intranet web server? 20:00 < FurnaceBoy> can you explain that question another way? 20:21 < ecrist> krzee: I am now. :) 20:23 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 20:25 < mooseman089> furnaceboy nevermind i think that question confused me.... 20:25 < ecrist> :) 20:27 < mooseman089> in the openvpn config files are # and ; the same thing (comments) 20:27 < ecrist> yes, I think ; is a valid comment line. 20:28 < mooseman089> ok great 20:33 < FurnaceBoy> yep 20:51 -!- FurnaceBoy [n=toby@189.71.173.157] has quit ["This computer has gone to sleep"] 20:53 -!- FurnaceBoy [n=toby@189.71.173.157] has joined ##openvpn 21:05 -!- FurnaceBoy [n=toby@189.71.173.157] has quit ["Leaving"] 21:36 -!- near [n=near@88-122-31-232.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- near [n=near@83-155-184-101.rev.libertysurf.net] has joined ##openvpn 21:40 -!- mzanfardino [n=mark@astound-64-85-228-83.ca.astound.net] has left ##openvpn ["Konversation terminated!"] 21:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 21:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 22:00 < krzee> !learn bridge as Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better. 22:00 < vpnHelper> krzee: The operation succeeded. 22:01 < krzee> [20:51] if i were to use ip routing i could still type in any address to a browser for an intranet web server? 22:01 < krzee> yes 22:01 < krzee> all you need for that is the right routes 22:04 < krzee> !learn bridge as useful for windows sharing (without wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses. 22:04 < vpnHelper> krzee: The operation succeeded. 22:04 < krzee> !bridge 22:04 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 22:04 < krzee> !more 22:04 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 22:04 < krzee> k, so thats how vpnHelper works guys =] 22:14 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 22:15 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has joined ##openvpn 22:27 < krzee> !learn mtu as you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 23:25 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Aug 11 2008 00:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 00:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 00:44 < krzee> !learn mtu as you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 00:44 < vpnHelper> krzee: The operation succeeded. 00:44 < krzee> !learn iroute does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 00:44 < vpnHelper> krzee: Invalid arguments for learn. 00:45 < krzee> !learn iroute as does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 00:45 < vpnHelper> krzee: The operation succeeded. 00:45 < krzee> !learn ccd as entries that are basically included into server.conf, but only for the specified client 00:45 < vpnHelper> krzee: The operation succeeded. 00:47 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:28 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 02:07 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:40 < kraut> moin 02:47 < krzee> mornin 03:46 -!- lolo92 [n=laurentl@host.146.247.23.62.rev.coltfrance.com] has joined ##openvpn 03:46 < lolo92> hello 03:47 < krzee> hey 03:47 -!- lolo92 [n=laurentl@host.146.247.23.62.rev.coltfrance.com] has quit [Client Quit] 03:48 -!- lolo92 [n=lolo92@84.55.144.90] has joined ##openvpn 03:49 < lolo92> the openvpn.nsi file from the last RC release search a file "!include "${HOME}\autodefs\defs.nsi" 03:49 < lolo92> but i dont have any defs.nsi file... 03:49 < lolo92> i have installed the last nsi package 03:49 < lolo92> nsis 03:50 < krzee> nsi? 03:50 < lolo92> krzee: nsis 03:50 < krzee> ahh i see, Nullsoft Scriptable Install System 03:50 < krzee> so you're talkin bout windows 03:50 < krzee> ? 03:51 < lolo92> yes i want to build windows package 03:51 < krzee> you want to package your own setup? 03:51 < lolo92> yes 03:51 < krzee> i take it you read this? http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html 03:51 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 03:52 < lolo92> yes i have read this 03:52 < lolo92> it works well with an older version of openvpn 03:52 < lolo92> but with the last version RC9 03:52 < krzee> ahh, im afraid i will be useless then 03:52 < lolo92> the openvpn.nsi script want new files to include 03:52 < krzee> as i dont have a windows box 03:53 < krzee> !mail 03:53 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 03:53 < krzee> you may want to post to openvpn dev list 03:54 < lolo92> ok 04:11 -!- Han [n=han@unaffiliated/han] has joined ##openvpn 04:13 < Han> Hi. I have a configfile with multiple lines like push "route 10.0.0.0 2552.255.254.0", yet after sending a HUP signal openvpn does not add those routes. Howcome? 04:18 < Han> ignore that, I misunderstood what push was supposed to do. 04:20 < krzee> so you understand it now? 04:21 < Han> I'm getting there. Now I need to figure out how openvpn sets up routes internally. 04:22 < krzee> what do you mean? 04:24 < Han> hmm I just get into the matter. OpenVPN sets up tunnels here, but I had to manually add routes to be able to get to certain locations. 04:24 -!- hawk [n=hawk@pdpc/supporter/active/hawk] has joined ##openvpn 04:24 < Han> Always fun when your predecesor doesn't document a thing. 04:25 < krzee> ahh 04:25 < krzee> when the server needs to know a route 04:25 < krzee> use route in the server config file 04:25 < krzee> when client does, push route 04:25 < krzee> (in server config file) 04:26 < krzee> !ccd 04:26 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 04:26 < krzee> !iroute 04:26 < vpnHelper> krzee: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 04:26 < Han> a h 04:27 < Han> so for each push "route foo bar" there should be a matching route foo bar? 04:28 < krzee> umm, dunno 04:28 < krzee> i dont group it like that in my head 04:28 < krzee> just know which box would need the route manually added 04:29 < krzee> if its all clients, push route in server config 04:29 < krzee> it its 1 client, push the route in ccd entry 04:29 < krzee> if its server, put it in server config (not pushed) 04:29 < Han> hmmm 04:30 < krzee> a push route is the same as route, but is ran on the client 04:30 < krzee> the client may need the pull command in config 04:30 < krzee> to take the pushes 04:34 < Han> lets experiment a bit on a non-production server =) 04:35 < Han> thanks for your help 04:45 < krzee> np 05:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:00 -!- mcp [n=hightowe@wolk-project.de] has joined ##openvpn 08:41 -!- lolo92 [n=lolo92@84.55.144.90] has quit ["Quitte"] 09:09 < ecrist> morning, folks 09:22 < rmull> morin ecrist 09:29 < cpm> morning 09:31 < rmull> hi cpm 10:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:23 < ecrist> hi, mikkel 10:43 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 11:17 -!- n3kl [n=n3kl@c-24-8-165-101.hsd1.co.comcast.net] has left ##openvpn [] 11:21 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 11:34 -!- kaushal [n=kaushal@59.184.58.220] has joined ##openvpn 11:34 < kaushal> ecrist, hi 11:34 < kaushal> good evening 11:35 < kaushal> ecrist, yt ? 11:38 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 11:38 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Client Quit] 11:41 < ecrist> sup, kaushal ? 11:41 < kaushal> I have bought my Ubuntu Laptop 11:41 < kaushal> today at home 11:42 < kaushal> please give me a moment 11:44 -!- bandini [n=bandini@host90-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 11:44 < kaushal> back 11:44 < kaushal> I want to add the route command sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 11:44 < kaushal> on the client side 11:45 < ecrist> ok... 11:47 < kaushal> I have used NetworkManager to configure openvpn on the Client side 11:47 < kaushal> as i said to you last time every now and then i need to add that command whenever i need to connect to openvpn 11:47 < kaushal> server 11:48 < kaushal> ecrist, you gave me a hint that it can be done too on the client side 11:49 < kaushal> I could not do it 11:49 < ecrist> ok, so, find the openvpn client config file and add the 'up' option. 11:50 < kaushal> ok 11:52 < kaushal> ecrist, http://rafb.net/p/zgapsL50.html 11:52 < vpnHelper> Title: Nopaste - No description (at rafb.net) 11:52 < kaushal> I am using it on Ubuntu 8.04 Desktop Linux 11:53 < ecrist> kaushal: you tell me which it is. 11:53 < ecrist> my guess, /home/kaushal/openvpn 11:54 < ecrist> I'm not about to do it for you, however. 11:55 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 12:01 < kaushal> ecrist, it isnt there 12:02 < ecrist> what isn't there? 12:02 < kaushal> I mean openvpn client config 12:02 < ecrist> well, I can't help you until you find it. 12:03 < kaushal> ecrist, I have used NetworkManager on Ubuntu 12:03 < ecrist> kaushal: I don't care. I don't use that program, and I'm not going to support it. 12:04 < ecrist> read the help, or google it. 12:04 < ecrist> it's a simple front-end to openvpn 12:04 < ecrist> there is a client config somewhere, you need to find it. 12:04 < ecrist> when you do, I can help 12:04 < ecrist> until then, my hands are ties. 12:04 < ecrist> tied* 12:19 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 12:31 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:31 < mooseman089> hey 12:33 < cpm> I want a peanut butter and honey sandwich 12:35 < mooseman089> i like peanut butter and that marshallow fluff personally 12:35 * ecrist puts his wife in a peanut butter sandwich 12:36 < ecrist> get it, peanut butter and honey? 12:36 < ecrist> lol 12:36 < cpm> ecrist, rule #43, never explain 12:36 < cpm> :) 12:36 < mooseman089> wow... 12:36 < ecrist> cpm: that was part of the humor, the explaination. 12:36 * rmull is amused 12:37 * cpm is also amused 12:37 < ecrist> if the joke was tangible, I would have been pointing at it, eyebrows raised, nodding my head, AS I explained it. 12:37 < ecrist> :P 12:37 < mooseman089> am i the only one still wanting one of those sandwichs? 12:37 * ecrist doesn't know what marshallow is 12:38 < ecrist> what ever it isn't it isn't too deep. 12:38 < cpm> it's an american thing, really poisonous treat. 12:38 < ecrist> I was making fun of his spelling. 12:38 < cpm> http://en.wikipedia.org/wiki/Marshmallow 12:38 < vpnHelper> Title: Marshmallow - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:38 < cpm> !vpmHelper 12:38 < vpnHelper> cpm: Error: "vpmHelper" is not a valid command. 12:39 < cpm> !liat 12:39 < vpnHelper> cpm: Error: "liat" is not a valid command. 12:39 < cpm> !liar 12:39 < vpnHelper> cpm: Error: "liar" is not a valid command. 12:39 < ecrist> !domelongtime 12:39 < vpnHelper> ecrist: Error: "domelongtime" is not a valid command. 12:39 < ecrist> doh! 12:39 < cpm> !learn liar as vpnHelper isn't always truthful 12:39 < vpnHelper> cpm: The operation succeeded. 12:39 < cpm> !liar 12:39 < vpnHelper> cpm: "liar" is vpnHelper isn't always truthful 12:39 < Han> consider consulting the bot in private 12:40 < ecrist> wow, way to piss on the parade. :\ 12:40 < cpm> quite so. But I still blame vpnHelper, he started it. 12:40 * ecrist blames vpmHelper 12:40 < ecrist> :P 12:42 * ecrist is done. 12:45 < ecrist> well, if anyone cares, I've got svn setup for ssl-admin, and wouldn't mind if others wanted to contribute to the scripts. 12:46 < ecrist> https://www.secure-computing.net/ssl-admin 12:46 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 12:47 < rmull> ecrist: zomg, big SSL error!! :o 12:47 < rmull> jk :P 12:48 -!- int_ [n=quassel@wikia/int] has joined ##openvpn 12:48 -!- int_ is now known as int 12:48 -!- mcp [n=hightowe@wolk-project.de] has quit [Remote closed the connection] 12:50 -!- Han [n=han@unaffiliated/han] has left ##openvpn [] 12:50 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 13:03 -!- kaushal [n=kaushal@59.184.58.220] has quit ["Leaving"] 13:05 -!- mcp [n=hightowe@wolk-project.de] has joined ##openvpn 13:25 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:33 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 13:38 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 13:38 -!- Irssi: ##openvpn: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 normal] 13:42 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:57 -!- Valect [n=aaron@71.39.93.58] has joined ##openvpn 14:00 < ecrist> *yawn* 14:00 < ecrist> this is a slow day, today 14:01 < mooseman089> im still trying to get my openvpn working in bridging mode... 14:01 < rmull> What problems are you having? 14:02 < mooseman089> im using debian but when i start openvpn in the log i see that it cannot open /dev/tap0 14:03 < mooseman089> i have tried running openvpn --mktun --dev tap0 but there is no tap0 in /dev 14:04 < rmull> How are you starting it? 14:05 < ecrist> mooseman089: you need to run it as root 14:05 -!- bandini [n=bandini@host111-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 14:05 < ecrist> so, as root user, or use sudo 14:05 < mooseman089> yea i did 14:05 < ecrist> did you run the start-bridge script? 14:05 < mooseman089> rmull i have up /usr/sbin/bridge-start in the config 14:06 -!- bandini [n=bandini@host111-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Client Quit] 14:06 < ecrist> do you ever see the tap0 device show up in ifconfig? 14:07 < mooseman089> yea i see in ifconfig but not in /dev 14:07 < ecrist> mooseman089: you're not going to see in /dev, iirc. 14:07 < mooseman089> why not? 14:07 < ecrist> it's a virtual device. 14:07 < ecrist> a 'cloned' interface. 14:08 < ecrist> your /dev is generally reserved for hardware devices. 14:08 < krzee> root@hemp:/usr/home/krzee> ls /dev/tap0 14:08 < krzee> ./dev/tap0 14:08 < krzee> (added . for irc) 14:08 * ecrist fails 14:08 < krzee> of course thats on fbsd 14:09 < mooseman089> hi krzee 14:09 < krzee> hey =] 14:09 < ecrist> /kickban ecrist 14:09 < krzee> heh 14:09 < krzee> g'mornin =] 14:09 < ecrist> krzee: gif devices are cloned interfaces, and they don't show up in /dev 14:10 < ecrist> :\ 14:10 < ecrist> on freebsd 14:10 < krzee> suuuuuuuure 14:10 < krzee> ;] 14:10 < mooseman089> what about my openvpn log that is complaining 14:10 < ecrist> mooseman089: pastebin it, please 14:11 < mooseman089> ok 14:12 < mooseman089> http://pastebin.com/d7952205f 14:12 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 14:13 < ecrist> krzee: can you blacklist that feature for various paste sites? 14:13 < rmull> krzee and ecrist: What about using that bot with tinyurl or xrl for URL squashing? 14:14 < rmull> For non-paste sites. 14:14 * ecrist looks quizically at krzee 14:14 < krzee> im checking for ecrist's answer 14:14 < ecrist> mooseman089: that log makes me think it was not run as root. 14:14 < mooseman089> i swear it was 14:15 < krzee> rmull, what plugin for supybot would that be? 14:15 < ecrist> krzee: that's where you went wrong, using someone else's code. :) 14:15 < krzee> hah 14:16 < krzee> then you write one 14:16 < ecrist> I have. 14:16 < krzee> im not saying you havnt 14:16 < krzee> but if you wanna reinvent this wheel, go for it 14:16 < ecrist> no, that's OK. 14:16 < krzee> hehe 14:16 < krzee> ;] 14:16 < ecrist> the bots I've written are essentially glorified RSS readers. 14:17 < krzee> !help RSS 14:17 < vpnHelper> krzee: (rss []) -- Gets the title components of the given RSS feed. If is given, return only that many headlines. 14:17 < krzee> ;] 14:17 < ecrist> oh, and they interface with text pager hardware, but that's irrelevant. 14:17 < krzee> hardware to SMS? 14:17 < ecrist> no, actual Pagers, not SMS 14:18 < ecrist> but, it's not hard to do SMS 14:18 < krzee> right 14:18 < ecrist> there's lots of stuff out there for that. 14:18 < krzee> but no point in hw 14:18 < mooseman089> so basically openvpn hates me? 14:18 < krzee> inet SMS 14:18 < ecrist> you just need an SMS gateway. 14:18 < ecrist> krzee: that's not as reliable as hardware SMS 14:18 < krzee> you can also page people over voip 14:19 < krzee> ecrist, true if the problem the SMS is alerting to is down eth card or whatnot 14:19 < krzee> lol 14:19 < ecrist> there's also often considerable latency in the inet->SMS gateway 14:19 < krzee> that all depends 14:20 < ecrist> in addition, there's the formatting - email-> SMS sucks because of the headers/etc. 14:20 < ecrist> regardless, this is all a bit OT. 14:20 < krzee> when i had a voip company we used inet for SMS'ing ourselves and it was never slow 14:20 < ecrist> I'm just messing with you on your choice of IRC bot. 14:20 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:20 < krzee> hehe yup ;] 14:20 < krzee> Mon Aug 11 15:01:55 2008 us=29849 TUN/TAP device tap0 opened 14:20 < krzee> Mon Aug 11 15:01:55 2008 us=29890 TUN/TAP TX queue length set to 100 14:20 < krzee> Mon Aug 11 15:01:55 2008 us=29971 /usr/sbin/bridge-start tap0 1500 1574 init 14:20 < krzee> Mon Aug 11 15:01:55 2008 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 14:20 < krzee> Mon Aug 11 15:01:55 2008 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 14:20 < krzee> Mon Aug 11 15:01:55 2008 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 14:21 < krzee> thats odd 14:21 < ecrist> mooseman089: did you complie your openvpn software, or install a package? 14:21 < krzee> hey mooseman089, paste your ifconfig tap0 14:21 < krzee> Mon Aug 11 15:01:54 2008 us=916278 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007 14:21 < krzee> im going with package 14:22 < ecrist> yeah, prolly, but still gotta ask. 14:22 < ecrist> my php coding is hell today 14:22 < ecrist> simple logic is kicking my ass. 14:22 < krzee> dude i woke up 2 hours after going to sleep so i could look at a house 14:22 < krzee> then the guy told me i couldnt go today 14:23 < krzee> i was / am pissed 14:23 < ecrist> I hope the housing market in your area is as good as ours, for buyers anyway. 14:23 < ecrist> selling a house, sucks. 14:23 < krzee> nah im just gunna rent 14:23 < krzee> i dont think the economy crash is over 14:23 < ecrist> my wife and I are going to be stuck in ours for a couple more years. 14:23 < krzee> and the US economy will effect many others including where im at 14:24 * ecrist thinks mooseman089 isn't paying attention anymore. 14:24 < ecrist> 36 mins to home time. 14:25 < krzee> supybot.plugins.Web.nonSnarfingRegexp 14:25 < krzee> This config variable defaults to "" and is channel specific. 14:25 < krzee> Determines what URLs are to be snarfed and stored in the database in the channel; URLs matching the regexp given will not be snarfed. Give the empty string if you have no URLs that you'd like to exclude from being snarfed. 14:25 < krzee> ecrist, ill add anything you paste to me to that in the config 14:26 < ecrist> perl regex? 14:26 < krzee> snarfing is: 14:26 < krzee> [15:12] Title: pastebin - collaborative debugging tool (at pastebin.com) 14:26 < krzee> python 14:27 < krzee> although im not sure of a diff 14:28 < ecrist> .*paste.* 14:29 * mooseman089 is back for a sec 14:29 < mooseman089> ercist installed by package 14:30 < mooseman089> http://pastebin.com/m3b26ed8 14:30 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 14:31 -!- mooseman089 is now known as mooseman089-lapt 14:31 -!- mooseman089-lapt is now known as mooseman-laptop 14:32 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 14:36 < Valect> i need some help getting broadcasts to work so I can access samba file shares over openvpn 14:37 < Valect> i'm using a bridge tap device 14:37 < Valect> bridged 14:37 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 14:37 < Valect> not really sure where to go from here 14:38 < ecrist> you assigning IPs from a DHCP server on the remote LAN? 14:38 < Valect> yes 14:40 < krzee> !bridge 14:40 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 14:40 < krzee> !more 14:40 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 14:43 < rmull> August 11, 19:43GMT: 14:43 < rmull> vpnHelper becomes aware. 14:43 < vpnHelper> rmull: Error: "becomes" is not a valid command. 14:43 < krzee> lol 14:43 < krzee> not that aware 14:43 < rmull> :D 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 < Valect> i've already looked at the documentation 14:44 < Valect> doesn't really tell me what i'm missing 14:46 < ecrist> Valect: so, the IPs are getting assigned, which means broadcasts are working. 14:46 < Valect> so what am i missing on the windows filesharing part of it 14:47 < ecrist> are your VPN clients on the same workgroup/domain? 14:47 < Valect> kind of - the samba server is on two subnets, one of which is the same as vpn clients 14:47 < ecrist> that's the only one they'll be able to browse, then. 14:47 < Valect> i'm aware 14:48 < ecrist> and they'll need to be on the same workgroup 14:48 < Valect> not so 14:48 < ecrist> unless they go to All Computers 14:48 < Valect> locally, i can be on any domai/workgroup and access it just fine 14:48 < ecrist> is the firewall blocking anything? 14:49 < Valect> that's what i'm not sure of. the firewall on the samba box isn;t, but the pfsense firewall before it might be, but i'm not sure what all i need to configure for openvpn to get the firewall to leave it alone 14:50 < Valect> and neither are linux, so iptables commands won't particularily help 14:50 < ecrist> Valect: if you've got connectivity, and can get IPs from your remote LAN DHCP server, your openvpn config is complete. 14:51 < Valect> hm 14:51 < ecrist> my guess is that pf sense blocks certain windows/NetBIOS ports, be default. 14:51 < Valect> how do i know openvpn isn't the one assigning ips? 14:51 < Valect> :x 14:52 < ecrist> can you ping the LAN from the vpn? 14:52 < Valect> i don't recall, i last poked at this on friday, and i'm local to the vpn right now 14:53 < ecrist> that's ambiguous 14:53 -!- mooseman-laptop [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 14:53 < Valect> :p 14:53 < ecrist> you're remote, or on the LAN (LAN being what you're trying to connect TO. 14:53 < Valect> i suppose i should come back when i'm not local so i can actually test things 14:53 < Valect> im on the lan and about 150 feet away from the openvpn server 14:53 < ecrist> well, if you're VPN client is 'up' you should be able to ping it. 14:54 < Valect> sure, but that doesn't help me actually test what i can and cant reach on the vpn side if i can still reach it on the non-vpn side 14:54 < ecrist> sure it does. 14:54 < ecrist> what I'm saying is, if you've got a bridged VPN up, and you can ping from LAN to VPN, your Openvpn config is done. 14:54 < ecrist> period 14:54 < ecrist> everything else is external. 14:54 < ecrist> :\ 14:55 < Valect> you mean ping vpn clients from the lan? 14:55 < ecrist> yes 14:55 < Valect> can't, the lan is only configured for a /24 14:55 < ecrist> so? 14:56 < Valect> so.. the vpn is on a differnet /24 14:56 < Valect> and the subnet mask on the lan is ffffff00 14:56 < ecrist> that doesn't stop pings, unless you don't have the proper routes in place. 14:56 < Valect> i wouldn't know, i didn't setup the network 14:56 < Valect> lemme test some things 14:56 < ecrist> in my experience, more than 3/4 of problems people have in this chan are related to routing. 14:56 < ecrist> or firewalls 14:57 < Valect> i'm almost certain this is related to routing 14:57 < ecrist> NetBIOS broadcasts will not pass through subnets. 14:57 < ecrist> period 14:57 < Valect> that's fine, because samba is listening on the same subnet as vpn clients anyway 14:58 < Valect> hm 14:58 < ecrist> and, can samba ping the vpn clients? 14:58 < Valect> the server can 14:59 < Valect> clients on the lan can't ping the vpn subnet 14:59 < Valect> what route would remedy that? :p 15:00 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 15:04 < krzie> so.. the vpn is on a differnet /24 15:04 < krzie> and the subnet mask on the lan is ffffff00 15:04 < krzie> that's fine, because samba is listening on the same subnet as vpn 15:04 < krzie> clients anyway 15:04 * krzie baffles 15:04 < Valect> lol 15:04 < Valect> the samba box is on two subnets 15:04 < Valect> two interfaces 15:24 < ecrist> Valect: if the pings aren't going through, can you confirm that the clients are on the VPN, and have been given a valid IP address? 15:26 * ecrist goes home. 15:26 < Valect> i'm the only one able to test it right now, but when i'm remote, it gives me a valid ip 15:26 < Valect> and i can reach the samba boxes ip 15:26 < Valect> i just can't access the actualy samba part 15:26 < ecrist> ok, so why do you think it's a vpn issue, then? 15:27 < ecrist> sounds more and more like a firewall issue. 15:27 < Valect> i'm not sure what the issue is, that's what i wanted to figure out 15:27 < Valect> [12:37:11] not really sure where to go from here 15:27 < ecrist> ok, let me reiterate what I said earlier 15:28 < ecrist> if you can connect to the vpn, and get an IP, and you're able to verify connectivity (ping, etc), your VPN works, it's an external problem. 15:28 < ecrist> you indicated there's a pfSense firewall between the samba box and the vpn. 15:28 < ecrist> I'd start there. 15:28 < ecrist> a good way to test is, if you're able, temporarily disable the firewall for the vpn, if traffic gets through, that's your problem. 15:28 < ecrist> fix the ruleset, have a beer. 15:28 * ecrist really goes home now. 15:28 < Valect> heh 15:38 < krzie> ya i agree with ecrist 15:38 < Valect> okay 15:38 < krzie> if you can ping over bridge, you can do arp over it 15:38 < krzie> as far as the vpn is concerned 15:39 < krzie> when im troubleshooting i always disable ALL firewalls 15:39 < krzie> then bring them up slowly 15:39 < Valect> i can't really disable our work firewall 15:39 < Valect> that would be a huge mistake 15:39 < Valect> i suppose i could dmz the samba box though 15:40 < krzie> could do that, or disable it for 2 minutes during the night 15:40 < krzie> im not saying throw it out the window ;] 15:40 < Valect> i would if pfsense would actually let me access it's webui remotely - i've been using lynx and elinks 15:40 < Valect> bloody nightmare that is 15:40 < krzie> haha 15:40 < krzie> i kinda like lynx, but never used pfsense 15:41 < Valect> i had some weird issue where it wouldn't reload the ruleset when using lynx 15:45 < krzie> wierd 15:45 < Valect> s/it\'s/its/ 16:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:07 < mooseman089> hey im back 16:16 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 16:17 -!- mooseman089 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [] 16:18 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:27 * ecrist is home 16:29 < ecrist> Valect: you can temp disable pfsense's firewall by sshing into the box, and as root, type pfctl -d 16:29 < Valect> sshd crashes when i try to connect to it :D 16:30 < ecrist> your fw has problems 16:30 < Valect> you're telling me 16:32 < mooseman447> even though my server still has that tap0 error it still starts and my client can connect to it but how can i check if the vpn is working? 16:33 < ecrist> route traffic across it. 16:34 < mooseman447> the client is win xp 16:34 < ecrist> so 16:34 < ecrist> what're you using openvpn for? 16:35 < mooseman447> oh i thought there was something funny i would need to do 16:35 < mooseman447> i mean i type in the ip address for a intranet server in ff but it doesnt load 16:35 < ecrist> sounds like a routing issue. 16:36 < mooseman447> maybe because the tap0 isnt working on the server? 16:36 < ecrist> could be, do you get an IP address on your desktop? 16:37 < mooseman447> yea one in the range allowed in the server-bridge option 16:38 < ecrist> ok, can you ping any of the addresses on the remote LAN? 16:38 < mooseman447> nope times out 16:38 < ecrist> any further errors in the log? 16:40 < mooseman447> no 16:40 < ecrist> I would hedge a bet on that error. 16:40 < mooseman447> ? 16:40 < ecrist> the error earlier. 16:40 < ecrist> tap error 16:41 < mooseman447> yea i think the tap driver is the problem 16:42 < mooseman447> do you have any ideas on how to go about fixing it? 16:43 < ecrist> try compliing OpenVPN directly on your system. 16:43 < mooseman447> oh that doesnt sound like fun 16:43 < ecrist> not a big deal at all 16:44 < ecrist> four commands, once you download the source tarball 16:44 < ecrist> tar -xzvf foo.tgz 16:44 < ecrist> ./configure 16:44 < ecrist> make 16:44 < ecrist> make install 16:44 < mooseman447> ok but i first i would need to apt-get remove openvpn right? 16:44 < ecrist> yes, I'd do that. 16:45 < mooseman447> ok what about the bridge-utils package? 16:46 < ecrist> probably that, too. 16:46 < ecrist> you using a recent version of debian? 16:46 < mooseman447> yea 16:46 < mooseman447> i could also do this on a update to date version of ubuntu 16:48 < mooseman447> which do you think would be better? 16:49 < krzie> mooseman447, if you are scared to compile programs and kernels you might want to reconsioder running linux 16:49 < krzie> reconsider 16:50 < mooseman447> lol its alright ill do it in a little 16:50 < ecrist> mooseman447: I *know* the ubuntu stuff works. 16:50 < mooseman447> i have to go get some food 16:51 < krzie> ecrist, i suggested compiling the driver into the kernel yesterday or the day before (days blurring together) 16:51 < krzie> i saw it fixed the same error in a forum 16:51 < mooseman447> which should i do compille the driver into kernel or compile openvpn? 16:51 < ecrist> mooseman447: did you try what krzie recommended? 16:51 < ecrist> mooseman447: it's not going to do you any good if you don't have a tap driver in your kernel. 16:51 < ecrist> :\ 16:51 < krzie> mooseman447 niether one could hurt, try one then the other 16:52 < ecrist> most of the time, it can be loaded dynamically, but your system seems broken. 16:52 < ecrist> try it on your ubuntu box, first. 16:52 < mooseman447> ercrist i must have the tap driver if i see tun and bridge in lsmod 16:52 < krzie> module 16:52 < krzie> im saying try losing the module in favor of compiling it in 16:53 < mooseman447> oh ok 16:53 < krzie> (you will no longer see it in lsmod cause it wont be a mod) 16:53 < mooseman447> well ill be back in a few 16:53 < krzie> a module is like an extention to the kernel 16:54 < krzie> in a forum i posted to you awhile back (yesterday or the day before) someone fixed that problem by compiling it in 16:54 < krzie> i dont see why it *should* matter, but it did for him 16:56 -!- Valect [n=aaron@71.39.93.58] has quit [Read error: 110 (Connection timed out)] 17:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:25 < mooseman447> ok im back ill first compile openvpn 17:26 < mooseman447> when i compile it doesnt add the automatic startup scripts right? 17:33 < krzie> you're not asking an openvpn question, you're asking a question about your linux distro, which i cant answer 17:33 < krzie> might wanna try the channel for your distro for distro specific stuffs 17:34 < krzie> (or someone here might know, but not i) 17:36 < mooseman447> ok well i just compiled openvpn 17:36 < krzie> oh dug i can answer that 17:36 < krzie> s/dug/duh 17:36 < krzie> no it wont load a startup script or anything 17:37 < mooseman447> ok thats what i thought 17:37 < krzie> sorry the packages are whats OS specific 17:37 < mooseman447> i removed the bridge-utils package do i need to compile that too? 17:37 < krzie> <-- semi braindead today 17:37 < mooseman447> no worries 17:37 < krzie> bridge-utils should be fine from packages 17:38 < mooseman447> oh ill reinstall it in a sec 17:44 < mooseman447> should i try that openvpn --mktun --dev tap0? 17:45 < mooseman447> still no tap0 device 17:45 < krzie> same error? 17:46 < krzie> i cant speak for if you will see it in /dev/ or not in linux 17:46 < krzie> the trippy part about it to me is that it sees it at first 17:46 < krzie> (the part of your error i pasted earlier this morning) 17:46 < mooseman447> yea same errors 17:47 < krzie> gimme the pastebin again? 17:47 < krzie> or re=pastebin it 17:47 < mooseman447> ok ill put the fresh log up 17:48 < mooseman447> http://pastebin.com/d60e679fe 17:48 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 17:52 < mooseman447> anything? 17:55 < mooseman447> how woulld i start recompiling the kernel like you recommended? 17:56 < krzie> thats distro specific 17:57 < krzie> just google [your distro] recompile kernel openvpn 17:57 < krzie> !bridge 17:57 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 17:57 < mooseman447> but what did you think of the log file? 17:58 < krzie> did you read all notes at: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 17:58 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 17:58 < krzie> Ethernet Bridging Notes 17:59 < mooseman447> yea why? 18:00 < krzie> # When you set up an ethernet bridge, you should manually set the IP address and subnet of the bridge interface and not use an ifconfig directive in the OpenVPN config. This is because unlike a TUN/TAP interface, OpenVPN cannot programmatically set the IP address and netmask of a bridge interface. 18:00 < krzie> you did that? 18:01 < krzie> show me your ifconfig tap0 18:01 < krzie> in fact, after you show me your ifconfig tap0 pastebin your server and client configs 18:01 < mooseman447> i thought the bridge-start script did that stuff 18:03 < mooseman447> http://pastebin.com/d70f38f2c 18:03 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 18:03 < krzie> try not using bridge-start 18:03 < krzie> its important you understand what its doing 18:03 < krzie> once you do, using he script which does it becomes easier 18:04 < mooseman447> server config: http://pastebin.com/d67f8261a 18:04 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 18:06 < krzie> did you edit your bridge-start? 18:06 < mooseman447> yea i need to add a gw so i would lose connection 18:06 < mooseman447> want to see? 18:06 < krzie> add a gw? 18:07 < mooseman447> http://pastebin.com/d34f7db7b 18:07 < vpnHelper> Title: pastebin - collaborative debugging tool (at pastebin.com) 18:07 < krzie> i dont see that anywhere in sample-scripts/bridge-start from http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 18:07 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 18:07 < mooseman447> line 41 18:07 < krzie> whyd you do that? 18:08 < mooseman447> orginally when i ran it i wouldnt be able to ping google or anything outside my subnet 18:08 < krzie> something tells me if that was meant to be there it would have came in the script 18:09 < mooseman447> i saw some posting that someone else did and it was fine 18:09 < mooseman447> i think they modeled the sample as if openvpn was on the gateway like a firewall or something 18:09 < ecrist> foo 18:10 < ecrist> krzie: didn't you put that exclude regex into the bot? 18:10 < krzie> ya just diodnt reload, lol 18:10 < krzie> !quit brb 18:10 < vpnHelper> krzie: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:10 < krzie> bleh 18:10 < krzie> !quit brb 18:10 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["brb"] 18:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:11 < mooseman447> http://tinyurl.com/5qgrbh thats were i learned to add that gateway 18:11 < vpnHelper> Title: OpenVPN - Bridging two networks « Tech Stuff (at tinyurl.com) 18:11 < krzie> www.pastebin.com 18:11 < ecrist> www.pastie.net 18:11 < krzie> http://www.pastebin.com 18:12 < vpnHelper> Title: pastebin - collaborative debugging tool (at www.pastebin.com) 18:12 < krzie> bleh 18:12 < krzie> nice regex :-p 18:12 < ecrist> .*paste.* should have done it. 18:12 < ecrist> hrm, wonder if it needs ^.*paste.*$ 18:12 < ecrist> hrm, wonder if it needs ^.*past.*$ rather 18:13 < ecrist> otherwise, pastie wouldn't match 18:13 < krzie> nothing without http:// will 18:13 < krzie> www.ircpimps.org 18:13 < krzie> http://www.ircpimps.org 18:13 < vpnHelper> Title: IRC Pimps... (at www.ircpimps.org) 18:14 < krzie> hah i forgot to save the file ;x 18:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 18:15 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:15 < krzie> http://www.pastebin.com 18:15 < vpnHelper> Title: pastebin - collaborative debugging tool (at www.pastebin.com) 18:15 < krzie> well it was saved that time 18:15 -!- teerawi [n=allouh1@91.186.230.10] has joined ##openvpn 18:15 < teerawi> hello 18:15 < teerawi> anyone here can help me with open vpn 18:16 < krzie> your question? 18:17 < teerawi> iam using the windows version, and i want the program to auto login and reconnect whrn connection failure 18:17 < teerawi> iam using the windows version, and i want the program to auto login and reconnect when connection failure 18:17 < ecrist> only one time 18:17 < ecrist> only one time 18:17 < mooseman447> :) 18:18 < teerawi> my adsl disconnect frequently 18:18 < teerawi> so i need it to reconnect when the adsl reconnects 18:19 < teerawi> plz 18:19 < ecrist> teerawi: there's an option in the config file to reconnect automatically. 18:19 < ecrist> also, I'd suggest getting better DSL connection. 18:20 < krzie> !configs 18:20 < vpnHelper> krzie: Error: "configs" is not a valid command. 18:20 < krzie> !config 18:20 < vpnHelper> krzie: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 18:20 < krzie> !sample 18:20 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:20 < krzie> ahh, there they are 18:21 < krzie> in server: keepalive 10 120 18:21 < krzie> in client: resolv-retry infinite 18:21 < krzie> persist-key 18:21 < krzie> persist-tun 18:21 < teerawi> can u tell me whatis the option in the config file 18:21 < krzie> the persists go in both 18:22 < krzie> you may or may not want to adjust the keep-alive 18:22 < krzie> but those are the options you want to read up on 18:23 < teerawi> actualy iam using a modified version for open vpn called ultravpn 18:25 < krzie> well you want to contact the ultravpn developers or support or help channel then 18:25 < krzie> and please do not message me 18:25 < krzie> talk in here 18:25 < teerawi> ok 18:25 < krzie> also dont send me files, and i am not going to edit them for you 18:25 < teerawi> plz check the config 18:25 < krzie> lol 18:25 < teerawi> just check it 18:25 < krzie> i will lead you to water 18:25 < krzie> you must drink or not 18:25 < krzie> i told you what to read up on 18:26 < krzie> !howto 18:26 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:26 < krzie> and if you arent even running openvpn i dont know how valid that howto and the config options i told you are 18:26 < teerawi> i never used the original openvpn 18:26 < krzie> check with the ultravpn people 18:26 < krzie> i never even heard of it before 18:27 < teerawi> they dont offer any support 18:27 < teerawi> just check the config and u will understand 18:27 < krzie> dude 18:27 < mooseman447> haha 18:27 < krzie> pastebin 18:27 < krzie> dont dcc me stuff 18:29 < teerawi> client 18:29 < teerawi> dev tun 18:29 < teerawi> proto udp 18:29 < teerawi> hand-window 15 18:29 < teerawi> remote-random 18:29 < teerawi> ;remote 87.98.157.30 1194 18:29 < teerawi> ;remote 87.98.241.72 24 18:29 < teerawi> remote 88.191.93.119 21 18:29 < teerawi> remote 88.191.93.119 443 18:29 < teerawi> remote 213.251.133.164 24 18:29 < teerawi> ;remote 87.98.241.72 21 18:29 < teerawi> ;remote 87.98.157.31 80 18:29 < teerawi> resolv-retry infinite 18:29 < teerawi> nobind 18:29 < teerawi> persist-key 18:29 < teerawi> persist-tun 18:29 < teerawi> ca ca.crt 18:29 < teerawi> comp-lzo 18:29 < teerawi> # Set log file verbosity. 18:29 < teerawi> verb 3 18:29 < teerawi> auth-user-pass 18:29 < teerawi> this is what in the config file 18:29 < teerawi> just tell me what to add 18:30 < teerawi> ??? 18:30 < krzie> dude 18:30 < krzie> pastebin 18:30 < teerawi> what is this? 18:32 < krzie> "[##openvpn] Welcome to ##openvpn - recently moved 18:32 < krzie> from #openvpn. Please don't post more than 5 lines to the channel. 18:32 < krzie> We help those who try to help themselves." 18:32 < krzie> www.pastebin.com 18:32 < krzie> and seriously, you arent even using openvpn 18:32 < krzie> we cant help you 18:32 < krzie> you need ultravpn help 18:33 < krzie> thats like going to #osx and asking a windows question just because microsoft decided to use osx's stuff ;] 18:34 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 18:34 < teerawi> ok 18:34 < teerawi> here is pastebin 18:34 < teerawi> http://pastebin.com/m31cd7b3 18:35 < teerawi> ultravpn is openvpn program with a pre config file 18:37 < krzie> you looked at keepalive? 18:39 < teerawi> no 18:40 < krzie> krzie> in server: keepalive 10 120 18:40 < krzie> in client: resolv-retry infinite 18:40 < krzie> persist-key 18:40 < krzie> persist-tun 18:41 < krzie> the persists go in both 18:41 < krzie> you may or may not want to adjust the keep-alive 18:41 < krzie> but those are the options you want to read up on 18:42 < teerawi> ok 18:42 < teerawi> thanks, ill try it 18:43 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:44 < krzie> http://www.ircpimps.org 18:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 18:46 < mooseman447> do you know if i should get 1 when i do cat /proc/sys/net/ipv4/ip_forward 18:47 < krzie> if ip forwarding is enabled, yes 18:48 < krzie> if it is not, no 18:51 < krzie> ecrist 18:51 < krzie> that's not a regex 18:51 < krzie> m/.*paste.*/ is 18:52 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:52 < krzie> (i didnt know better either) 18:52 < krzie> http://www.pastebin.com 18:52 < krzie> http://www.IRCpimps.org 18:52 < vpnHelper> Title: IRC Pimps... (at www.IRCpimps.org) 18:52 < krzie> nice 18:53 < ecrist> actually, he's wrong, .*paste.* *is* a regex, m// is telling it to 'match' that string. 18:53 < ecrist> I assumed you were putting my regex in some function or another. 18:53 < krzie> *shrug* now we know what the bot wants 18:53 < ecrist> m// s//, etc are functions, they're not part of the actual regex. 18:53 < ecrist> tell jamessan he's a fuck tard, with all due respect. :) 18:54 < ecrist> indeed, we do. 18:54 < krzie> no way, hes main dev of supybot and i appreciate his effort :-p 18:54 < ecrist> and, change that to .*past.* 18:54 < ecrist> or, m/.*past.*/ rather 18:54 < krzie> i think theres likely to be a lot of domains with past in them 18:54 < krzie> paste, not so many 18:55 < ecrist> ok, add one for pastie then as well. 18:55 < ecrist> or 18:55 < krzie> k 18:55 < ecrist> how about this 18:55 < ecrist> m/*.past[ie].*/ 18:55 < ecrist> bulid a char class for i and e. 18:55 < krzie> that works 18:55 < ecrist> :D 18:56 < krzie> !quit rehashing regex 18:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 18:56 < krzie> i also found out that the bot writes its config on exit 18:56 < krzie> so i must make the changes live (which im not sure how yet) or do them AFTER killing the bot 18:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:57 < krzie> http://www.pastie.com 18:57 < krzie> http://www.pastebin.com 18:57 < krzie> http://www.IRCpimps.org 18:57 < vpnHelper> Title: IRC Pimps... (at www.IRCpimps.org) 19:02 < krzie> !learn ask as don't ask to ask, just ask your question please 19:02 < vpnHelper> krzie: The operation succeeded. 19:02 -!- teerawi [n=allouh1@91.186.230.10] has quit [Read error: 110 (Connection timed out)] 19:07 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:08 < krzie> !learn ask as http://www.latinsud.com/answer/ 19:08 < vpnHelper> krzie: The operation succeeded. 19:09 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 19:29 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 19:44 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 19:46 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 20:14 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has joined ##openvpn 20:15 < erimar77> quick question if anyone's around 20:17 < krzie> !ask 20:17 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 20:19 < erimar77> any tricks to getting a windows 2008 server client working 20:19 < erimar77> i copied everything over from an xp installation that was working great 20:19 < krzie> ive never even seen win2k8... 20:20 < krzie> (not a win user) 20:20 < erimar77> the network just kinda seems to die although i do get an ip from the vpn server 20:20 < krzie> is it having problems adding routes? 20:20 < erimar77> i believe that's the issue 20:20 < krzie> try route-method exe 20:21 < krzie> i saw that on the mail list, seemed to help some people with some windows versions 20:21 < erimar77> just stick that in the conf file somewhere 20:21 < krzie> ya i believe so 20:21 < erimar77> i'll give it a whirl and will be back if it disconnects 20:21 < krzie> prolly nice and early in the config 20:21 < krzie> cool ya let me know if it works too pls 20:22 < krzie> that way i know for the next person who asks =] 20:29 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has quit [Read error: 104 (Connection reset by peer)] 20:30 < aia> http://gizmodo.com/5035456/blue-screen-of-death-strikes-birds-nest-during-opening-ceremonies-torch-lighting 20:30 < vpnHelper> Title: Olympic Fail: Blue Screen of Death Strikes Bird's Nest During Opening Ceremonies Torch Lighting (at gizmodo.com) 20:30 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has joined ##openvpn 20:30 < erimar77> ok, that seemed to work, but locked up my irssi and my freenode account for some reason 20:30 < aia> hmm 20:31 < erimar77> kept saying i was already connected, but anyways the route-method exe worked 20:40 < krzie> nice 20:40 < krzie> ya makes sense it killed your connection 20:41 < krzie> changed your default route 20:41 < krzie> !learn winroute as try route-method exe 20:41 < vpnHelper> krzie: The operation succeeded. 20:42 < krzie> thanx for the feedback erimar77 20:45 * ecrist notes that it shouldn't matter where it is in the config, as long as it's there. 20:47 -!- erimar77 [n=Administ@75-132-242-158.dhcp.stls.mo.charter.com] has quit [Read error: 104 (Connection reset by peer)] 20:51 < ecrist> 85 downloads of my ssl-admin freebsd port since jul 21. 20:51 < ecrist> :) 20:53 < krzie> nice 20:54 < krzie> only reason i said early in the config is i had problems with route command not working low in config but working high in same config 20:54 < krzie> i need to checkout your ssl-admin still 20:54 < krzie> i like how it looks a lot 20:54 < krzie> you should add a !command for it 21:04 -!- near [n=near@83-155-184-101.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:04 -!- near [n=near@88-122-26-186.rev.libertysurf.net] has joined ##openvpn 21:14 < ecrist> rowr 21:14 < mooseman447> hi? 21:15 < ecrist> hi 21:17 < ecrist> my IMAP server doesn't want to answer logins. 21:18 < mooseman447> what imap server do you use? 21:19 < ecrist> dovecot 21:20 < mooseman447> oh 21:20 < ecrist> pop3 is working fine, but imap won't auth users 21:21 < mooseman447> what do the logs say? 21:22 < ecrist> nothing, that's the crappy thing. 21:22 < ecrist> auth_worker. just hangs. 21:23 -!- rmull is now known as rmull_ 21:23 < mooseman447> well thats just annoying 21:24 < ecrist> fortunately, I only use IMAP for webmail, and don't really have any users that depend on webmail, so it's not a huge deal. 21:25 < mooseman447> yea i once setup a little mail setup but never did anything with it 21:28 < ecrist> I've been running a little mail setup for over 10 years. :) 21:29 < mooseman447> everytime i sent an email to someone because i didnt have a regular static ip it would get filtered as spam... 21:30 < ecrist> yeah, it's pretty hard to run mail well without statics ips 21:41 < mooseman447> i just asked in the debian channel and apparently tap0 shouldnt have a device 21:42 < ecrist> didn't think it should... 21:42 < ecrist> it should only exist in kernel memory. 21:43 < mooseman447> its kinda odd though because the openvpn log says it cant open /dev/tap0 22:00 < ecrist> ok, figured out my dovecot stuff - it's ssl related, but I don't care enough to actually remedy it tonight 22:00 < ecrist> g'night folks 22:01 < mooseman447> ok good night 22:03 -!- near [n=near@88-122-26-186.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 22:04 -!- near [n=near@88-122-26-215.rev.libertysurf.net] has joined ##openvpn 22:06 < mooseman447> haha #debian can't figure it out and send me here 22:12 < mooseman447> without the up /usr/sbin/bridge-start then the bridge wont come up right? 22:32 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 22:33 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 22:43 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 22:55 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 23:39 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 23:45 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 23:46 < krzee> mooseman447, i think you're supposed to run bridge-start before openvpn 23:46 < mooseman447> doesnt it know that when i put in the config with up? 23:46 < krzee> i believe up gets run on successful connection 23:47 < mooseman447> ok ill try running manually 23:47 < mooseman447> did you hear about no tap0 in /dev? 23:47 < krzee> ya 23:47 < krzee> like i said i dunno bout linux much 23:47 < krzee> in fbsd it exists 23:48 < mooseman447> yea i thought it would exist though because there is /dev/net/tun which i guess is the tun device 23:49 -!- SirFunk [n=jeffutte@206-159-155-246.netsync.net] has joined ##openvpn 23:50 < SirFunk> i have a strange situation here... i have 3 boxes 2 windows 1 linux and a openvpn server (linux) ... the windows boxes can connect to the linux boxes or the server... however nothing (even the server) can connect to the windows boxes 23:50 < SirFunk> i can't figure it out 23:51 < krzee> windows firewall 23:51 < SirFunk> i can't even ping them 23:51 < SirFunk> nor connect to services that should be open 23:52 < mooseman447> krzee ok i just started openvpn and the error isnt in the log 23:52 < mooseman447> ill connect a client and see what happens 23:52 < krzee> go into security center, firewall, advanced, and uncheck your openvpn interface 23:55 < krzee> luckily i have a windows laptop i just fixed handy to know how to get there 23:55 < krzee> hehe 23:55 < SirFunk> hmm... one of them is server 2003 which claims the firewall is turned off 23:55 < SirFunk> i still can't ping it 23:55 < mooseman447> hmm so far i dont think its working i cant ping anything 23:55 < krzee> SirFunk, routed or bridged? 23:56 < SirFunk> routed 23:56 < krzee> mooseman447, looks like you have another problem as well then 23:56 < krzee> SirFunk, does the windows machine have the route? 23:56 < krzee> !winroute 23:56 < vpnHelper> krzee: "winroute" is try route-method exe 23:56 < krzee> !forget winroute 23:56 < vpnHelper> krzee: The operation succeeded. 23:56 < SirFunk> that machine can ping the server, so i'm assuming so 23:56 < mooseman447> well the openvpn client came up fine i dont see any errors in the log but then again it worked fine before too 23:57 < SirFunk> oh i lied! 23:57 < SirFunk> :-P 23:57 < SirFunk> too many boxes, i guess i hadn't tried pinging form that one 23:57 < krzee> !learn winroute as in windows if the route cannot be added, try route-method exe in your config file 23:57 < vpnHelper> krzee: The operation succeeded. 23:58 < krzee> mooseman447, you usiong verb 6? 23:58 < krzee> using 23:58 < mooseman447> verb 6? 23:58 < mooseman447> im using this http://openvpn.se/ 23:58 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 23:58 < krzee> whats that pastebin to your config files? 23:59 < SirFunk> the logs say "routing gateway is not reachable on any adapter" --- Day changed Tue Aug 12 2008 00:00 < krzee> [22:21] what do the logs say? 00:00 < krzee> [22:22] nothing, that's the crappy thing. 00:00 < krzee> [22:22] auth_worker. just hangs. 00:00 < mooseman447> just to test im using a laptop on wifi which is on a different subnet 192.168.2.x vs 192.168.1.x for my regular lan 00:00 < mooseman447> http://pastebin.com/d128744e 00:01 < krzee> ecrist, try traceing the process and see what syscall it hangs on 00:01 < krzee> err 00:01 < krzee> same lan, no router in between just diff subnets? 00:02 < mooseman447> i have a firewall with different interfaces 00:02 < mooseman447> i can only connect to one machine on that lan and thats the vpn server with 1194 udp 00:03 < krzee> i have no idea whether that will be a problem 00:03 < krzee> but it may 00:03 < mooseman447> ok well i cant go anywhere to truley test from the internet 00:04 < mooseman447> i would think that if i defiently cant ping a machine without the vpn then once i get a working vpn i could right? 00:04 < krzee> ya, as long as routing isnt going to get confused 00:05 < krzee> what is your vpn subnet? 00:05 < mooseman447> what do you mean? 00:05 < krzee> oh right its tap 00:05 < mooseman447> i got 192.168.1.201 from the server 00:06 < mooseman447> haha all this damn effort was for that tap... 00:06 < SirFunk> imagine that.. internet connection settings trusted zone junk was blocking it 00:06 < krzee> its 1am and im not fully sober :-p 00:06 < krzee> SirFunk, yup 00:06 < mooseman447> fair enough 00:06 < krzee> windows is fun like that =/ 00:06 < krzee> haha 00:06 < krzee> ok, what do clients in the LAN have as their default router in 192.168.2.x lan 00:07 < mooseman447> 192.168.2.1 00:08 < mooseman447> and the regular lan uses 192.168.1.1 which is the same physical computer with just 3 nics 00:08 < krzee> so once we get the bridge up you will need to tell 192.168.2.1 to route 192.168.1.X to 192.168.2.vpn-endpoint 00:08 < krzee> which is where doing this one same LAN gets fucked up 00:09 < krzee> because 192.168.2.1 already has a route for 192.168.2.X 00:09 < krzee> err 1.X 00:09 < krzee> since its a LAN directly attached as well 00:09 < krzee> see what i mean? 00:09 < mooseman447> ok hang lets see if i can find some free wifi somewhere around my house 00:18 -!- mooseman557 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has joined ##openvpn 00:18 < mooseman557> god its annoying to register a new nick 00:18 < mooseman557> ok im on a new network 00:20 < mooseman557> omg its working 00:24 < krzee> hehe 00:24 < mooseman557> i think you might just be a genius 00:25 < mooseman557> well i cant believe the solution was that tap was just fine but i was trying to run it when it was already started... 00:25 < krzee> *shrug* thats how ya learn =] 00:25 < mooseman557> yea it was fascinating 00:25 < mooseman557> ok im going to bed now 00:26 < mooseman557> thanks a million man 00:26 < mooseman557> i really do appreciate it 00:27 -!- mooseman557 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has quit ["it works!"] 00:28 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 00:36 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 00:57 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 01:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:14 < kraut> moin 02:14 < krzee> !learn kraut as moin 02:14 < vpnHelper> krzee: The operation succeeded. 02:15 < krzee> thats like clockwork 02:15 < krzee> lol 02:23 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:44 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:04 -!- mcp [n=hightowe@wolk-project.de] has quit ["changing servers"] 05:22 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has joined ##openvpn 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:44 -!- edeca [n=david@emo.two-pebbles.com] has joined ##openvpn 05:44 < edeca> Is there any easy way for my users to change the passphrase on .key files I give them, in Windows? 05:45 < krzee> not sure if thats what it does, but openvpn GUI has a change password feature 05:46 < krzee> worth looking at and seeing if it uses .key files 05:46 < krzee> it might just be what you are talking about 05:46 < edeca> It does? Meh, idiot me! :) 05:46 < edeca> I'll look 05:46 < krzee> (im not a windows user) 05:46 * edeca boots Windows 05:46 < krzee> but pls do inform me 05:46 < edeca> Me neither :0 05:49 < edeca> That works fine, thanks! 05:49 < krzee> nice, thank you 05:50 < krzee> !learn winpass as openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 05:50 < vpnHelper> krzee: The operation succeeded. 06:16 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 06:17 < thrope> does openvpn work for a lot of clients behind the same nat connecting to the same vpn? 06:18 < krzee> let the other clients connect through 1 06:18 < krzee> much easier! 06:18 < krzee> all you need to do is add the route on their gateway and done 06:19 < krzee> (and let openvpn know about it) 06:19 < hawk> thrope: That should work okay... It's plain UDP (or TCP if you configure it that way) 06:19 < thrope> can you forward dns through the gateway as well 06:20 < krzee> why not 06:20 < thrope> it wasn't working with another package (ipsec based) 06:20 < krzee> ahh 06:20 < krzee> well yup =] 06:20 < krzee> you can forward * through it if you like 06:20 < thrope> so could just do a static point to point openvpn 06:23 < krzee> thrope, what do you mean? 06:23 < thrope> sorry - just found the static key howto 06:23 < thrope> so thats the sort of config we would use 06:23 < krzee> less secure 06:23 < krzee> why would you need static key? 06:24 < krzee> you just need a standard setup from what you said so far 06:24 < krzee> just link 1 machine from lan to server 06:24 < krzee> and tunnel the lan through the vpn link 06:24 < krzee> !sample 06:24 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 06:24 < krzee> thats a good starting point 06:25 < krzee> !route 06:25 < vpnHelper> krzee: Error: "route" is not a valid command. 06:25 < krzee> you'll just need to add a route for the LAN 06:25 < krzee> to the server config 06:26 < krzee> well, is the lan behind server or client? 06:26 < krzee> you might need iroute 06:26 < krzee> !iroute 06:26 < vpnHelper> krzee: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 06:27 < krzee> but ya, its meant for that 06:27 < krzee> you dont need a bunch of vpn links, just 1 06:27 < krzee> then you route over it 06:47 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Remote closed the connection] 06:48 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has joined ##openvpn 06:56 < krzee> !menu 06:56 < vpnHelper> krzee: Error: "menu" is not a valid command. 06:58 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 06:59 < kexman> wtf is wrong with my tap adapter ? 06:59 < kexman> why wont it come online when i start openvpn ? 06:59 < krzee> not sure yet 06:59 < kexman> it was working before 06:59 < krzee> heh 06:59 < kexman> krzee: helloo 06:59 * krzee consults his magic 8-ball 06:59 < kexman> okay 06:59 < krzee> it said "not enough information" 07:00 < kexman> looking at logs 07:00 < kexman> :) 07:00 < kexman> yeah 07:00 < kexman> no log file :P 07:00 < kexman> nor status :) hehe 07:00 < krzee> pastebin the error logs at verb 6 07:00 < krzee> and the configs 07:00 < krzee> but first of all, are you sure you want bridge? 07:01 < krzee> !bridge 07:01 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 07:01 < krzee> !more 07:01 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 07:01 < kexman> krzee: yep 07:01 < kexman> its all bridged 07:01 < kexman> vpn eth and wlan :) 07:01 < kexman> into openwrt :) 07:01 < kexman> its good 07:01 < kexman> yeah i know routing works too 07:01 < kexman> but its good like hits 07:01 < kexman> *this* 07:01 < kexman> better for me i think 07:01 < kexman> also i can use shares (windows) and play games (udp bcast) 07:01 < krzee> wait, your vpn is for inside the lan? 07:01 < kexman> naaa 07:02 < kexman> its just bridged to it 07:02 < krzee> oh ok 07:02 < kexman> its for me connecting from outside 07:02 < cpm> intra-lan vpn, , 07:02 < kexman> let me add a status and log an ill be back in a sec 07:02 * cpm shudders 07:02 < krzee> gotchya 07:02 < kexman> cpm: that's cool 07:02 < krzee> cpm, ya wouldnt work 07:02 < kexman> why not ? :) 07:02 < cpm> oh, it'll work. 07:02 < kexman> aaa 07:02 < kexman> yeah 07:02 < krzee> that was part 2 of moose's problem 07:02 < krzee> i got him on another network and boom it worked 07:02 < cpm> spend all that money on a lan, that will end up performing like 10base-2 over coax 07:03 < krzee> no, wont even work 07:03 < krzee> routing gets all confused 07:03 < kexman> i had to remove my logging since i installed openvpn on a router 07:03 < cpm> combined with managed vlans, it works. 07:03 < krzee> well ya 07:03 < kexman> which would had died of all that logging :) 07:03 < kexman> well hmm now that i think of 07:03 < kexman> it could had logged to ramfs 07:03 < krzee> well now you wanna turn it on 07:03 < kexman> ehh never mind, thinking out loud :)) hehe 07:03 < krzee> can turn it off after :-p 07:03 < kexman> krzee: working on it 07:04 < kexman> but this the client :) so i can turn it on. not even sure why was turned off 07:04 < krzee> 07:58] * kexman (i=kexman@unaffiliated/kexman) has joined ##openvpn 07:04 < krzee> [07:59] wtf is wrong with my tap adapter ? 07:04 < krzee> [07:59] why wont it come online when i start openvpn ? 07:04 < krzee> chuckles at that before looking at logs 07:04 < krzee> ;] 07:04 < kexman> i was looking 07:04 < kexman> at /var/log/messages 07:05 < kexman> log openvpn.log 07:05 < kexman> i now have that 07:05 < kexman> but no openvpn.log 07:05 < kexman> should i add the full path ? 07:05 < krzee> give it a shot 07:05 < kexman> status openvpn-status.log 07:05 < kexman> log /etc/openvpn/openvpn.log 07:09 < kexman> http://rafb.net/p/FztRaS94.html 07:09 < vpnHelper> Title: Nopaste - No description (at rafb.net) 07:09 < kexman> not good 07:10 < krzee> thats verb 6? 07:10 < kexman> nope :( 07:10 < kexman> verb 3 :) 07:10 < kexman> uff :) 07:10 < krzee> [08:00] pastebin the error logs at verb 6 07:11 < kexman> sorry 07:11 < krzee> np 07:11 < krzee> but im going to sleep soon 07:13 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 07:13 < kexman> ] pid=23 DATA len=100 07:13 < kexman> Tue Aug 12 15:13:07 2008 us=23649 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=23762 TLS Error: TLS handshake failed 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=24136 TCP/UDP: Closing socket 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=24202 SIGUSR1[soft,tls-error] received, process restarting 07:14 < krzee> pastebin! 07:14 < kexman> Tue Aug 12 15:13:07 2008 us=24242 Restart pause, 2 second(s) 07:14 < kexman> before it i get alot of this : ] pid=23 DATA len=100 07:14 < kexman> this is the actual error 07:14 < krzee> dude 07:14 < krzee> paste 07:14 < krzee> bim 07:14 < krzee> bin 07:14 < kexman> im sorry 07:14 < krzee> its only 1 sentance 07:14 < krzee> [08:10] [08:00] pastebin the error logs at verb 6 07:14 < krzee> if you follow the manual that well how will you get openvpn working? 07:14 < krzee> :-p 07:14 < kexman> http://rafb.net/p/tgqT9O90.html getting lots of these then what i pasted here 07:15 < kexman> krzee: the only thing i change 07:15 < kexman> is mtu 07:15 < kexman> i told eth0 to work at 1500 07:15 < kexman> hmm 07:15 < krzee> you cant do that 07:15 < kexman> and restarted eth0 07:15 < krzee> not on tap 07:15 < kexman> no ? 07:15 < kexman> not on tap 07:15 < krzee> right 07:15 < kexman> on my eth0 locally 07:15 < krzee> maybe 07:15 < krzee> change it back and try 07:15 < kexman> ill try to set it back and see 07:15 < kexman> yeah 07:15 < kexman> that was i thinking 07:15 < kexman> but i wanted to see the verb 6 log before :) 07:16 < krzee> did you change both sides of the tunnel =? 07:17 < kexman> krzee: it was working very well 07:17 < kexman> and i didnt used it for a bit couple hours 07:17 < kexman> changed that mtu 07:17 < kexman> and now it just wont work :) 07:17 < krzee> [08:16] did you change both sides of the tunnel =? 07:17 < kexman> krzee: i didnt changed anything on the server 07:17 < krzee> well 07:18 < krzee> i wouldnt expect that to work 07:18 < krzee> even if you can change a tap, ild expect both sides to need to be = 07:18 < krzee> with tun you adjust inside openvpn so it keeps both = 07:18 < kexman> and changin back the mtu and still nothing 07:18 < kexman> wait 07:18 < kexman> what are you talking about ? 07:18 < kexman> i didnt touched nothing on my openvpn settings 07:19 < kexman> and it was working okay 07:19 < kexman> my tap adapter wont come online 07:19 < krzee> i know, you changed the interface 07:19 < kexman> now 07:19 < kexman> noooo 07:19 < kexman> i changed the mtu of interface eth0 07:19 < kexman> which is my NIC on this laptop 07:19 < krzee> bridge-stop bridge-start 07:19 < kexman> nononono i didnt changed nothing in openvpn.conf 07:19 < kexman> hmmm 07:19 < krzee> dude i know 07:19 < kexman> maybe router bokred out ? 07:19 < krzee> to tune a TUN one you do that 07:19 < kexman> krzee: when would this happen ? 07:19 < kexman> powerfailure ? 07:20 < krzee> dude, what are you talking about? 07:20 < krzee> you're changing interfaces that are inside a bridge already 07:20 < kexman> bridge-stop bridge-start ? where ? 07:20 < krzee> kill the bridge 07:20 < krzee> change the interface back 07:20 < krzee> start the bridge 07:20 < kexman> krzee: i didnt changed no interface 07:20 < krzee> dude 07:20 < kexman> krzee: i did not change no interface nowhere 07:20 < kexman> didnt touched openvpn.conf 07:20 < krzee> you are changing the MTU on the interface 07:21 < kexman> yes i changed it back to normal 07:21 < kexman> and resarted it 07:21 < krzee> is english your first language? 07:21 < kexman> no :) as you have just guessed :P 07:21 < krzee> k =] 07:21 < kexman> and its 30C here :) and im dying of hot 07:21 < krzee> did you kill your bridge and re-bridge it? 07:21 < kexman> krzee: so wait 07:21 < kexman> no 07:21 < kexman> how do i do that ? 07:21 < kexman> :) 07:21 < krzee> give that a shot 07:21 < kexman> on the client you mean ? 07:21 < krzee> i dont use bridges 07:22 < kexman> well 07:22 < kexman> so for a bridge to work 07:22 < krzee> on whatever you were tuning the MTU on 07:22 < kexman> i need it to bridge it on the client as well ? 07:22 < kexman> damn 07:22 < krzee> however you bridged it before, undo it and redo it 07:22 < kexman> krzee: the bridging is done on the server, no ? 07:22 < krzee> dude 07:22 < krzee> which did you tune MTU on? 07:22 < kexman> laptop 07:23 < kexman> from 576 to 1500 07:23 < krzee> is there a bridge on it? 07:23 < kexman> how can i know ? :) 07:23 < kexman> i didnt set up on here 07:23 < krzee> if you dont know how to see theres a bridge or not you might not want to use tap 07:23 < kexman> but when openvpn starts there is no tap0 that is what i see and its different then before 07:23 < kexman> hmm 07:23 < kexman> krzee: but on the router i know how to see if there is a bridge 07:24 < kexman> router = openvpn server 07:24 < kexman> laptop = openvpn client 07:24 < krzee> laptop OS? 07:24 < kexman> both will have bridges when using tap ? 07:24 < kexman> linux 07:24 < krzee> ifconfig 07:24 < krzee> heh 07:24 < krzee> i dont use tap 07:24 < krzee> havnt in yrs 07:24 < kexman> :) 07:24 < krzee> so while i dont know, i think both get a bridge 07:24 < kexman> i didnt had no problem with it before 07:24 < kexman> aha 07:24 < kexman> well i didnt knew this before 07:25 < kexman> but all i know there is no tap here 07:25 < kexman> and it should be when i start openvpn 07:25 < krzee> !bridge 07:25 < krzee> doh 07:25 < kexman> looking it up 07:25 < kexman> krzee: thanx for the support 07:25 < kexman> ill get to it 07:25 < kexman> go to sleep :) 07:25 < kexman> dont bother with this bridge 07:25 < kexman> its not that important anyway 07:25 < kexman> ill fix it somehow 07:26 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 07:26 < rmull_> vpnHelper: Hello 07:26 < vpnHelper> rmull_: Error: "Hello" is not a valid command. 07:26 < rmull_> :( 07:26 < krzee> !bridge 07:26 -!- rmull_ is now known as rmull 07:26 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 07:26 < krzee> read those links 07:26 < krzee> they are filled with bridge info 07:27 < krzee> rmull, thats his way of saying good morning ;] 07:27 < kexman> :) 07:27 < kexman> krzee: maybe routing was better :) 07:27 < kexman> i had that working 07:27 < krzee> i cant sleep just yet 07:27 < krzee> gotta finish rebuilding my server 07:28 < krzee> well if you dont need games/ windows sharing with wins, then routing is def better 07:28 < krzee> but for the lan gaming and windows sharing with no WINS, you need bridge 07:29 < krzee> but #1 and #2 have tons of info 07:29 < kexman> krzee: im looking at the log on the server now 07:29 < krzee> besides my anti-brdige propaganda in #3 and #4 07:29 < krzee> hehe 07:29 < kexman> krzee: i know 07:29 < kexman> i read all inside out the openvpn doc :) 07:29 < kexman> i had routing working 07:30 < kexman> then worked alot to make bridgin working 07:30 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 07:30 < kexman> for starcraft to work :) 07:30 < kexman> Jan 1 03:27:43 OpenWrt daemon.err openvpn[882]: 82.79.113.68:31779 TLS Error: TLS object -> incoming plaintext read error 07:30 < kexman> Jan 1 03:27:43 OpenWrt daemon.err openvpn[882]: 82.79.113.68:31779 TLS Error: TLS handshake failed 07:30 < kexman> this is the problem 07:30 < kexman> on the server 07:30 < krzee> pastebin the whole log with verb 6 07:30 < kexman> VERIFY ERROR: depth=1, error=certificate is not yet valid 07:30 < kexman> omfg :) 07:30 < krzee> !learn log as please pastebin your logfile with verb set to 6 07:30 < krzee> ahhh 07:30 < krzee> ntpdate time.nist.gov 07:31 < krzee> on both 07:31 < kexman> yeah router didnt had date set right 07:31 < kexman> restarting and trying again 07:31 < kexman> grrr 07:31 < krzee> which machine made the certs? 07:31 < kexman> working :)))) 07:31 < kexman> krzee: 3rd one :) 07:31 < krzee> hehe right on 07:31 < kexman> but wtf ? 07:31 < krzee> if it had been router you woulda had to remake them 07:31 < kexman> openvpn started up before date was set and that borked everything ? 07:32 < krzee> no idea 07:32 < kexman> hmm 07:32 < kexman> strange 07:32 < krzee> (no idea why it worked before i mean) 07:32 < kexman> rebooting router to test 07:32 < kexman> hmm 07:32 < kexman> wait 07:32 < kexman> krzee: i didnt had internet when the router rebooted 07:32 < kexman> cable modem syncronizes slower 07:32 < kexman> hmmm 07:32 < kexman> still strage 07:34 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 07:34 < krzee> there hes back now 07:34 < krzee> had to reboot into new system 07:34 < krzee> vpnHelper, krzee 07:34 < vpnHelper> krzee: "krzee" is http://www.ircpimps.org/pimpin.jpg 07:34 < krzee> hehe 07:35 < kexman> krzee: thanx for the support 07:35 < krzee> yw 07:35 < kexman> thinking now what to do to make certificates valid even if this happens ..... 07:36 < krzee> have a script start openvpn after it syncs the time 07:36 < kexman> krzee: and starts only after the sync ? 07:36 < kexman> good point 07:36 < krzee> right 07:36 < kexman> otherwise what would happen 07:36 < krzee> sync && openvpn 07:36 < kexman> lets say certificates are valid from 2008 07:36 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has joined ##openvpn 07:36 < m0b> hello 07:36 < kexman> and openvpn starts with those certs in 2001 :) 07:37 < krzee> hey m0b 07:37 < kexman> doesnt loads the certificates ? 07:37 < ecrist> hi m0b 07:37 < kexman> anyone can connect ??? 07:37 < kexman> no one can connect ? 07:37 < kexman> good question ! 07:37 < m0b> im having troubl getting my network routed thru the vpn 07:37 < krzee> kex 07:37 < krzee> [08:30] VERIFY ERROR: depth=1, error=certificate is not yet valid 07:37 < m0b> i can ping it and all 07:37 < krzee> not a good question, you already had it happen and figured out the problem 07:37 < kexman> krzee: wait wait wait 07:37 < kexman> but what happens then ? 07:37 < ecrist> m0b: are you doing routed or bridged vpn? 07:37 < m0b> routed 07:37 < krzee> mornin ecrist 07:37 < kexman> so it doesnt loads the server certificate ? 07:37 < m0b> linux 07:37 < kexman> who can connect then ? 07:38 < krzee> kexman, it checks it and says error=certificate is not yet valid 07:38 < krzee> nobody 07:38 < krzee> you just had tha problem! 07:38 < ecrist> m0b: can you show me your vpn server config, please? 07:38 < m0b> oh that is a date problem 07:38 < m0b> isnt it? 07:38 < m0b> server config ? 07:38 < kexman> krzee: okay :) 07:38 < ecrist> m0b: yes 07:38 < m0b> ok 07:38 < kexman> i mean but without using any certificates :) 07:38 < kexman> i was just thinking if openvpn would go into "failsafe" mode :)) 07:39 < kexman> stupid idea :) okay i know :) 07:39 < krzee> thank god it wont 07:39 < kexman> :) yeah 07:39 < krzee> haha 07:39 < kexman> openvpn was designed with that in mind 07:39 < kexman> stupid from me to ask such a question 07:39 < m0b> can i paste in here 07:39 < m0b> ? 07:39 < m0b> or in pm? 07:39 < krzee> m0b, pastebin please 07:39 < ecrist> no, use pastebin or something. 07:39 < krzee> !pastebin 07:39 < m0b> ok 07:39 < vpnHelper> krzee: Error: "pastebin" is not a valid command. 07:39 < kexman> krzee: look someone suggested adding date -s in the startup script :) 07:39 < kexman> good idea 07:39 < kexman> and set the date to the boundry of the cert 07:39 < ecrist> ick 07:39 < kexman> hmm ? :) well its a dirty hack :) 07:40 < krzee> !learn pastebin as please paste anything with more than 5 lines into pastebin or a similar website 07:40 < vpnHelper> krzee: The operation succeeded. 07:40 < m0b> http://pastebin.ca/1167921 07:40 < krzee> mob, also please do this: 07:40 < krzee> !logs 07:40 < vpnHelper> krzee: Error: "logs" is not a valid command. 07:40 < ecrist> why are you hacking the date? what did I miss? 07:40 < krzee> !log 07:40 < vpnHelper> krzee: (log ) -- Logs to the global Supybot log at critical priority. Useful for marking logfiles for later searching. 07:40 < m0b> hehe i had the date problem 07:41 < m0b> i had to make both server and client in same timezone 07:41 < ecrist> m0b: why are you using ifconfig instead of server? 07:41 < krzee> !learn logs as please pastebin your logfile with verb set to 6 07:41 < vpnHelper> krzee: The operation succeeded. 07:41 < m0b> erm dunno i was having trouble and a friend gave me his configs 07:41 < krzee> server and client dont need to be in the same timezone 07:41 < krzee> they just need to be at same time 07:41 < krzee> based on UTC 07:41 < m0b> ah 07:42 < kexman> krzee: i could make a script that loops ntp-client && openvpn right ? 07:42 < m0b> well the server is bsd the client is linux 07:42 < krzee> ntpdate time.nist.gov will make that right regardless of timezone 07:42 < krzee> kexman, loops!? 07:42 < ecrist> kexman: run ntpd 07:42 < kexman> so it would look until ntp-client exits with okay :) 07:42 < ecrist> just keep your server's date set correctly - you can't account for poor administration of the remote users. 07:42 < ecrist> :) 07:42 < kexman> krzee: well it i do just ntp-client && openvpn and ntp-client failt then openvpn would not start ! 07:42 < kexman> but i need it to start 07:43 < kexman> so it should try try try and retry until end of days :) 07:43 < krzee> kexman, does your router keep time across power losses? 07:43 < kexman> ecrist: embedded router 07:43 < kexman> krzee: nope 07:43 < m0b> perhaps i mixed the server/client conf up ? 07:43 < m0b> heh 07:43 < m0b> i thought for sure that was right tho 07:43 < ecrist> m0b: looks like it 07:44 < m0b> so you say use the server line instead of the ifconfig ? 07:44 < krzee> until ntpdate 07:44 < ecrist> yes 07:44 < krzee> sleep 5 07:44 < krzee> done 07:44 < krzee> openvpn 07:44 < kexman> krzee: hmm :) 07:44 < ecrist> why're you using port 443, rather than 1194? 07:44 < kexman> have to look it up when its started 07:44 < kexman> and how :) 07:44 < kexman> krzee: or the openvpn script itself ? 07:44 < krzee> ecrist, is it tcp? 07:45 < krzee> openvpn script i guess, however you start it now... 07:45 < kexman> yep 07:45 < m0b> hmmmmm 07:45 < m0b> but i thought the client connected to the server 07:46 < ecrist> krzee: is what tcp? 07:46 < krzee> nm, when you said port 443 i was thinking if it was tcp could be for firewall reasons 07:46 < m0b> =\ 07:46 < m0b> sigh 07:46 < krzee> m0b, heres some configs 07:46 < ecrist> m0b: do you have a firewall you're trying to pass through? 07:46 < krzee> !sample 07:46 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 07:46 < m0b> can you pastebin me some working configs that will go behind my router 07:46 < ecrist> why aren't you using 1194 udp? 07:47 < kexman> krzee: sleep 10 would be less drasticright ? :) 07:47 < m0b> udp is firewalled 07:47 < krzee> kexman, whatever 07:47 < krzee> m0b, you're using udp 07:47 < m0b> er 07:47 < krzee> oh wait no 07:47 < krzee> tcp-server 07:47 < krzee> my bad 07:47 < m0b> heh 07:48 < ecrist> m0b: remove the ifconfig line, add the server line 07:48 < krzee> im calling your work and telling the IT dept! 07:48 < ecrist> back in 07:48 < krzee> lol 07:48 < m0b> for the server ? 07:48 < ecrist> yes 07:48 < kexman> krzee: you really helped :) supported :) 07:48 < kexman> thank you very much 07:48 < krzee> you're welcome 07:49 < m0b> hm 07:49 < m0b> netmask invalid 07:49 < m0b> 255.255.255.0 ? 07:49 < kexman> krzee: is this good like this : http://rafb.net/p/2LjSnQ78.html 07:49 < vpnHelper> Title: Nopaste - No description (at rafb.net) 07:49 < ecrist> make it read 10.1.0.0 255.255.255.0 07:49 < ecrist> not 10.1.0.1 07:50 < kexman> i added it to /etc/init.d/openvpn 07:50 < m0b> k 07:50 < kexman> problem is i dont have ntpdate :P lol 07:50 < kexman> uff 07:50 < krzee> whatever you use to sync time 07:50 < kexman> can i add until /etc/init.d/ntpclient start ? 07:50 < kexman> until "/etc/init.d/ntpclient start" ? 07:51 < kexman> config_load ntpclient& 07:51 < ecrist> kexman: wtf? no ntpdate? 07:51 < kexman> no ntpdate :) 07:51 < cpm> get one 07:51 < krzee> hes using embedded router 07:51 < kexman> ecrist: router has 4mb of storage :)) 07:51 < cpm> what os? 07:51 < ecrist> m0b: you also seem to be missing a few SSL arguments. 07:51 < krzee> kexman, play with it til it works 07:52 < cpm> what firmware? 07:52 < krzee> ecrist, one of those lame static key setups =/ 07:52 * krzee h8 07:52 < ecrist> kexman: my freebsd binary for ntpdate is 30K... 07:56 < m0b> ok 07:56 < m0b> i just used your sample configs 07:56 < m0b> and modded 'em 07:56 < m0b> i can ping 10.1.0.1 now 07:56 < m0b> but still no route thru 07:57 < m0b> sec 07:57 < krzee> what do you mean by route through 07:58 < m0b> http://pastebin.ca/1167939 07:59 < m0b> i want my traffic to go thru the vpn. 07:59 < kexman> ecrist: okay :) 07:59 < kexman> ill try to add that 07:59 < kexman> thanx for the help guys 07:59 < kexman> i got to go now 07:59 < m0b> like ... default gw 10.1.0.1 07:59 < kexman> see ya later 07:59 < m0b> heh 07:59 < ecrist> np 07:59 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 08:00 < krzee> you will need NAT too 08:00 < ecrist> m0b: you need nat on the other end, now. 08:00 < krzee> !nat 08:00 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 08:00 < krzee> =] 08:00 < krzee> <3 the bot 08:00 < m0b> other end = serveR? 08:00 < krzee> right 08:00 < krzee> click the link my bot gave you 08:01 < m0b> is there a freebsd cmd 08:01 < m0b> i did 08:01 < m0b> looks like linux 08:01 < m0b> iptables is for linux only right? 08:01 < ecrist> if you're on freebsd, you'll need to use ipfw or pf to nat outbound traffic. 08:01 < ecrist> I'd recommend pf. 08:01 < krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 08:01 < vpnHelper> Title: Network Address Translation (at www.freebsd.org) 08:01 < m0b> server is freebsd 08:02 < m0b> client is linux 08:02 < ecrist> client doesn't matter 08:02 -!- tkbeat [n=tk@80.64.182.204] has joined ##openvpn 08:02 < ecrist> this is a server issue. 08:02 < tkbeat> hi there 08:02 < m0b> perfect 08:02 * krzee tags ecrist in 08:02 < m0b> that example image looks exactly as im tryin to configure it 08:02 < m0b> heh 08:02 < krzee> 9am i better think about sleep 08:02 < krzee> nite guys 08:02 < m0b> goodnite thanks 08:03 < krzee> !learn bsdnat as http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 08:03 < vpnHelper> krzee: The operation succeeded. 08:04 < tkbeat> i have a little question - i have a client that have to authenticate with user and pass . now i wanna automate this . but in the configfile --auth-user-pass file.txt is not working . why ? 08:05 * ecrist looks 08:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 08:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:06 < m0b> guess i gotta rebuild kernel to add ipdevert 08:06 < m0b> heeh 08:06 < ecrist> m0b: use pf 08:06 < ecrist> no kernel rebuild required. 08:06 < m0b> how? 08:06 < krzee> yes, pf > * 08:06 < m0b> awesome 08:06 < ecrist> kldload pf 08:07 < ecrist> tkbeat: have you read the howto on dual-factor authentication? 08:07 < m0b> done.. 08:07 < krzee> tkbeat, tried /path/to/file.txt ? 08:07 < tkbeat> ahh no ?! 08:07 < tkbeat> file is in the same subdir 08:08 < m0b> ecrist: anything else? 08:08 < ecrist> tkbeat: you should always use full path. 08:08 < krzee> Note: OpenVPN will only 08:08 < krzee> read passwords from a file if it has been built with the --en- 08:08 < krzee> able-password-save configure option, or on Windows by defining 08:08 < krzee> ENABLE_PASSWORD_SAVE in config-win32.h). 08:08 < ecrist> m0b: hang one. 08:08 < krzee> from man page 08:08 < m0b> np 08:08 < krzee> easily found by looking for --auth-user-pass [up] 08:08 < ecrist> mob, mv /etc/pf.conf /etc/pf.conf.default 08:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 08:09 < ecrist> then, create a new /etc/pf.conf with the following lines: 08:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:09 < tkbeat> but i can put theso what can i do in the windows version ? 08:09 < m0b> err /etc/pf.os ? 08:09 < ecrist> m0b: no, you should have a /etc/pf.conf 08:09 < krzee> in man pages you can search by typing /searchstring 08:09 < m0b> heh.. /etc/pf.os is all i have 08:10 < ecrist> what version of freebsd? 08:10 < m0b> 7.0 08:10 < krzee> tkbeat, 08:10 < ecrist> okie 08:10 < krzee> [09:08] able-password-save configure option, or on Windows by defining 08:10 < krzee> [09:08] ENABLE_PASSWORD_SAVE in config-win32.h). 08:10 < ecrist> so, create /etc/pf.conf 08:10 < ecrist> in the file, have the following lines: 08:10 < krzee> what i dont get is this: 08:11 < m0b> k 08:11 < krzee> why have passwords if you are gunna save them in a file? 08:11 < m0b> lol 08:11 < krzee> is that any better than your certificates? 08:11 < ecrist> ext_ip = 192.168.1.247 08:11 < m0b> worse probablly 08:11 < ecrist> set block-policy drop 08:11 < ecrist> scub in all 08:11 < krzee> m0b, doesnt take away from your certs, but sure doesnt add to them any 08:12 < krzee> scrub is why i love pf 08:12 < krzee> well its the first reason 08:12 < m0b> scrub or scub? 08:12 < krzee> scrub 08:12 < ecrist> scrub 08:12 < ecrist> sorry 08:12 < m0b> typo? 08:12 < m0b> k 08:12 < m0b> 3 lines so far. 08:12 < krzee> he is waking up im falling asleep, between us you have 1 fully awake person 08:12 < ecrist> oh, up above, under ext_ip, add vpn_net = 10.1.0.0/24 08:12 < ecrist> lol 08:12 < tkbeat> where can i found that file ? config-win32.h should i compile openvpn for windows by myself ? krzee there is no other solution in my case 08:13 < ecrist> then, under the scrub, 08:13 < krzee> how is there no other solution? 08:13 < m0b> ok. 08:13 < krzee> tkbeat, you run the client and server? 08:13 < m0b> man this chan is so much help. 08:13 < ecrist> nat on $ext_if from $vpn_net to any -> $ext_ip 08:14 < m0b> i just had a problem with booting and joined #fedora 08:14 < m0b> those people are morons! 08:14 < krzee> ecrist, can you save that stuff to a link for the bot to link to? 08:14 < m0b> i will post it in a pastbin 08:14 < m0b> when done 08:14 < ecrist> m0b: when you're done, copy that to pastebin for my review. 08:14 < tkbeat> no i am only run the client 08:14 < ecrist> krzee: one of these days, yeah. 08:14 < m0b> done now? 08:14 < tkbeat> the serverr is a linuxbox ...client is wondows 08:14 < ecrist> m0b: that's it so for. 08:14 < ecrist> far. 08:15 < m0b> k 08:15 < m0b> http://pastebin.ca/1167961 08:15 < krzee> then yes, you need to compile it in to win version 08:15 < krzee> if you want pw from file 08:16 < krzee> but if the admin finds out expect a backhand 08:16 < krzee> haha 08:16 < tkbeat> hrhr 08:16 < ecrist> m0b: add ext_if = eth0 to the top of the config 08:16 < krzee> for good security people chose 2 of the 3: something you have, something you know, something you are 08:17 < krzee> he chose something you have (certs) and something you know (pass) 08:17 < krzee> you're turning it into 2 something you haves 08:17 < m0b> eth0 is for server? 08:17 < krzee> he wouldnt approve :-p 08:17 < m0b> or client 08:17 < ecrist> then, add pf_load="YES" to /boot/loader.conf 08:17 < tkbeat> ok much thanx anyway 08:17 < ecrist> m0b: that should be the interface that's your external interface. 08:17 < m0b> im useing rl0 on freebsd as default for ipv4 08:18 < ecrist> then use rl0 08:18 < m0b> linux has eth0 08:18 < m0b> k 08:18 < m0b> making sure :) 08:18 < krzee> tkbeat, but yes it can be done, requires compiling it yourself after changing what i pasted 08:18 < ecrist> I'm just going off your pastes. 08:18 < m0b> boot/loader or rc.conf ? 08:19 < ecrist> also, change ext_ip to match your internet ip address. 08:19 < ecrist> I took that IP from the same paste I got eth0 from. 08:19 < m0b> ok 08:19 < ecrist> put that line in /boot/loader.conf 08:19 < m0b> k 08:19 < ecrist> you need to add pf_enable="YES" to /etc/rc.conf 08:19 < ecrist> pf_load="YES" tells the kernel to load the pf module. 08:20 < krzee> your skill-level instantly goes up when you load that module 08:20 < krzee> and clouds part 08:20 < ecrist> pf_enable="YES" tells rc to actually load the ruleset. 08:21 < m0b> err 08:21 < m0b> ok 08:21 < ecrist> oh, crap 08:21 < ecrist> add pass all to the bottom of that ruleset. 08:21 < ecrist> or two lines: pass in all and pass out all, if you prefer. 08:23 < ecrist> are you local, or remote, to the box? 08:23 < m0b> remote 08:23 < ecrist> ok, next run crontab -e 08:24 < ecrist> enter this line: (press i for insert in vi) 08:24 < m0b> pf_enable="YES" >> /etc/rc.conf 08:24 < m0b> pf_load="YES" >> /boot/loader.conf 08:24 < m0b> i know how to use vi. :) 08:24 < ecrist> */20 * * * * /sbin/pfctl -d 08:24 < m0b> crontab -e as root right? 08:24 < ecrist> add that to root's crontab 08:24 < m0b> k 08:25 < m0b> done 08:25 < ecrist> that's a 'don't shoot yourself in the foot' line 08:25 < ecrist> worst case, if you accidentally lock yourself out with a misconfig of the firewall, it will disable pf every 20 minutes. 08:25 < ecrist> when we're done testing, make sure to remove that line. 08:26 < m0b> nice 08:26 < krzee> dont remove it 08:26 < krzee> comment it out 08:26 < krzee> for later usage =] 08:26 < ecrist> now, try /etc/rc.d/pf start 08:26 < m0b> http://pastebin.ca/1167976 08:26 < m0b> good ? 08:27 < ecrist> yep 08:27 < m0b> k 08:27 < m0b> ... 08:27 < m0b> http://pastebin.ca/1167979 08:28 < m0b> tun0 is the interface the vpn is on.. 08:29 < m0b> does that matter any here? 08:35 < m0b> vpn_if = tun0 08:36 < m0b> ? 08:37 < ecrist> now try no 08:38 < ecrist> sorry, was cooking a hot pocket. 08:38 < m0b> ? 08:38 < ecrist> mmmmm 08:38 < m0b> heh 08:38 < ecrist> no, you don't need vpn_if 08:38 < m0b> np 08:38 < m0b> did you check the pastebin 08:38 < ecrist> looking 08:39 < m0b> vpn_nat perhaps rather than vpn_net ? 08:39 < ecrist> hang on 08:39 < m0b> k 08:39 < ecrist> re-paste your /etc/pf.conf for me. 08:39 < m0b> http://pastebin.ca/1167976 08:40 < ecrist> ok, change the two lines to read: 08:40 < ecrist> ext_ip="70.204.9.21" 08:41 < ecrist> vpn_net="10.1.0.0/24" 08:41 < ecrist> then, /etc/rc.d/pf reload 08:41 < m0b> ext_if="rl0" 08:41 < m0b> is good too? 08:42 < m0b> Reloading pf rules. 08:42 < m0b> No ALTQ support in kernel 08:42 < m0b> ALTQ related functions disabled 08:49 < ecrist> ok, that's all OK. 08:49 < m0b> ok 08:49 < m0b> dont i need a route cmd on my linux box 08:49 < m0b> ? 08:49 < ecrist> can you pass traffic from the VPN to the public now? 08:49 < ecrist> no extra commands on the linux box 08:49 < m0b> ehm 08:50 < m0b> must i restart the vpns ? 08:50 < ecrist> no, you shouldn't need to 08:50 < m0b> hm 08:51 < ecrist> can you ping 10.1.0.1? 08:51 < m0b> i dont really understand.. 08:51 < m0b> yes 08:51 < m0b> i can ping both from each other 08:51 < m0b> but 08:51 < ecrist> ok, that's good 08:51 < m0b> my linux(the client) doesnt go through 10.1.0.1 for inet 08:52 < m0b> it goes thru 192.168.1.1 ... 08:52 < ecrist> can you paste you server openvpn config again? 08:52 < m0b> sure 08:53 < m0b> http://pastebin.ca/1168010 08:54 < ecrist> ah 08:54 < ecrist> you're missing the push "default-route" or whatever that is 08:54 < m0b> ok 08:55 < ecrist> you had it in your first config. 08:55 < m0b> push "redirect-gateway" 08:55 < m0b> ? 08:57 < ecrist> yes 09:00 < m0b> ok 09:00 < m0b> didnt work 09:00 < m0b> i seee bad source address 09:00 < m0b> in the servers status window 09:00 < ecrist> paste, pls 09:01 < m0b> MULTI: bad source address from client [192.168.1.247], packet dropped 09:01 -!- tkbeat [n=tk@80.64.182.204] has quit [Read error: 104 (Connection reset by peer)] 09:01 < ecrist> um, something's wrong 09:01 < ecrist> did you restart your VPN? 09:01 < m0b> yes 09:01 < ecrist> after adding the redirect-gateway, you need to restart the openvpn server and the clients. 09:02 < m0b> i did.. 09:02 < ecrist> ok, your VPN server shouldn't be seeing the 192.168.1.247 address at all 09:03 < m0b> what about some metric option 09:03 < m0b> i think i may have changed this before 09:03 < ecrist> ? 09:03 < m0b> tryin to get it to work 09:03 < m0b> some kinda metric -1 09:03 < m0b> ifconfig option 09:03 < m0b> i believe 09:05 < ecrist> not familiar with it, but afaik, you shouldn't need that. 09:06 < ecrist> what I've helped you set up is pretty much exactly what I've got setup here at the office. 09:07 < m0b> hm 09:09 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has joined ##openvpn 09:10 < ecrist> what does /var/openvpn/openvpn-status.log show? 09:11 < m0b> doesnt exist 09:11 < ecrist> on the server. 09:11 < m0b> doesnt exist. 09:11 < ecrist> what does /var/log/openvpn.log sohw? 09:11 < m0b> doesnt exist either 09:11 < ecrist> :\ 09:12 < ecrist> did you install openvpn from the freebsd ports tree? 09:12 < m0b> yea 09:12 < m0b> i think so 09:12 < ecrist> hrm 09:13 < ecrist> add these two lines to your vpn server config: 09:13 < ecrist> status /var/openvpn/openvpn-status.log 09:13 < ecrist> log-append /var/log/openvpn.log 09:13 < ecrist> you may need to create /var/openvpn directory 09:14 < m0b> ook 09:15 < m0b> ok 09:15 < m0b> i tried to restart it and it doesnt load now 09:15 < ecrist> what error are you getting? 09:15 < m0b> it created the logfile tho 09:16 < m0b> oh 09:16 < m0b> perhaps it just didnt spit anythinginto the window 09:16 < m0b> its all in the logfile 09:16 < m0b> heh 09:16 < ecrist> :) 09:18 < m0b> ok 09:19 < m0b> restarted and it still did not work 09:19 < ecrist> what didn't work? 09:19 < m0b> i had to ssh into a box on local lan to get out without killing it or messing with route cmd 09:19 < m0b> well 09:19 < m0b> i reran the vpn on both sides 09:20 < m0b> i dont see what 10.1.0.5 09:20 < m0b> has to do with anything 09:20 < ecrist> what? 09:21 < m0b> what about the stuff in the ccd dir 09:21 < m0b> what should that look like 09:21 < m0b> and ipp.txt 09:21 < m0b> Tue Aug 12 09:16:55 2008 us=789465 /sbin/ip addr add dev tun0 local 10.1.0.6 peer 10.1.0.5 09:21 < ecrist> you don't need to worry about any of that. 09:21 < m0b> the client is 10.1.0.6 the server is 10.1.0.1 09:21 < m0b> according to my ping replies 09:22 < m0b> i do not see where 10.1.0.5 belongs 09:22 < ecrist> ignore that. 09:22 < ecrist> you're configuring for static IPS? 09:22 < m0b> yeah 09:22 < m0b> well 09:22 < ecrist> well, that's what those messages are all about 09:22 < m0b> i guess 09:23 < ecrist> OpenVPN 2.0.9 creates a /30 subnet for each IP. 09:23 < ecrist> although you're not seeing it attached to the interface, 10.1.0.5 is the server's side of the /30 for 10.1.0.6. 09:24 < m0b> ok 09:24 < ecrist> with OpenVPN 2.1.x, you can do away with the /30s. 09:24 < m0b> but its unpingable 09:24 < m0b> hrm 09:24 < ecrist> can you ping 10.1.0.1? 09:24 < edeca> ecrist: And save yourself some private IP space? Wooh! heh 09:24 < m0b> yes 09:24 < m0b> i can ping it 09:24 < m0b> both sides are pingablle 09:24 < m0b> from each other 09:25 < ecrist> edeca: it's a pain when you've got a ton of statics to configure. :) 09:25 < ecrist> m0b: ok, so the VPN is working. 09:25 < m0b> looking at the openvpn log 09:25 < ecrist> it's all routing and nat. 09:25 < m0b> its still w/ source error 09:25 < m0b> bad source 09:25 < ecrist> paste the logs, please. 09:27 < edeca> ecrist: Hah, I hadn't thought of that ;) 09:28 < m0b> er.. i cannot access the internet hehe 09:28 < m0b> unless i kill it 09:28 < m0b> can i paste here? 09:28 < m0b> im connected thru another box on my LAN hehe 09:29 < m0b> Tue Aug 12 09:20:43 2008 us=413409 beware.evilgrin.org/70.204.9.21:43494 MULTI: bad source address from client [192.168.1.247], packet dropped 09:29 < m0b> but like x100 09:30 < m0b> well not 100 but at least 20 :) 09:33 < m0b> OpenVPN 2.0.6 i386-portbld-freebsd7.0 [SSL] [LZO] built on Aug 9 2008 09:33 < ecrist> oh, in your pf.conf, change the IP ip from the 70.x to 69.42.223.2 09:33 < ecrist> restart pf 09:34 < ecrist> oh, and remove that crontab line. 09:35 < m0b> so the pf ext_ip should be of the server itself 09:35 < m0b> ? 09:35 < ecrist> yes 09:35 < m0b> ah 09:35 < ecrist> it should be an IP that exists on the server running openvpn 09:35 < m0b> k 09:35 < m0b> restart 'em both? 09:37 < m0b> hm 09:37 < m0b> still no luck ;[ 09:38 < m0b> perhaps i need to flush my route 09:39 < m0b> iill reboot 09:39 < ecrist> no 09:39 < m0b> and see if that helps 09:39 < ecrist> you don't need to reboot 09:39 < ecrist> on the server, paste to me, pfctl -N 09:39 < m0b> heh i know that but im not sure else how to flush the routes 09:39 < ecrist> erm 09:39 < ecrist> pfctl -s 09:39 < m0b> No ALTQ support in kernel 09:39 < m0b> ALTQ related functions disabled 09:40 < ecrist> what is flushing the routes going to do for you? 09:40 < m0b> = pfctl -N 09:40 < m0b> on my linuxbox .. 09:41 < m0b> Tue Aug 12 09:37:26 2008 us=389555 ERROR: Linux route add command failed: shell command exited with error status: 2 09:41 < m0b> saw that in status 09:42 < ecrist> m0b: these commands are for the server, not the client 09:42 < ecrist> pfctl -s on the server, please. 09:42 < m0b> i know that 09:42 < m0b> ^ that was on the client 09:43 < m0b> $ pfctl -s 09:43 < m0b> pfctl: option requires an argument -- s 09:43 < m0b> usage: pfctl [-AdeghmNnOqRrvz] [-a anchor] [-D macro=value] [-F modifier] 09:43 < m0b> [-f file] [-i interface] [-K host | network] [-k host | network ] 09:43 < m0b> [-o [level]] [-p device] [-s modifier ] 09:43 < m0b> [-t table -T command [address ...]] [-x level] 09:43 < ecrist> pfctl -s nat 09:43 < ecrist> sorry 09:44 < m0b> nat on rl0 inet from 10.1.0.0/24 to any -> 69.42.223.2 09:45 < ecrist> ok, that looks good 09:45 < ecrist> now, on the client, netstat -r 09:45 < ecrist> what does default say 09:46 < m0b> 10.1.0.5 09:47 < ecrist> what does traceroute yahoo.com show 09:47 < m0b> cant ping 4.2.2.2 so i doubta trace will work but im tryin it 09:48 < m0b> hasnt done anything yet 09:48 < m0b> finally it resolved 09:48 < m0b> traceroute to yahoo.com (68.180.206.184), 30 hops max, 40 byte packets 09:48 < m0b> 1 * * * 09:49 < m0b> etc 09:50 < ecrist> oh, um 09:50 < ecrist> forgot 09:50 < ecrist> add gateway_enable="YES" to /etc/rc.conf 09:51 < ecrist> then sysctl net.inet.ip.forwarding 1 09:51 < m0b> ok 09:51 < m0b> ok 09:51 < m0b> done 09:52 < ecrist> now try the traceroute 09:52 < m0b> looks like its gonna be the same 09:52 < m0b> taking forever to resolve 09:52 < ecrist> well, use the IP, rather than the dns name 09:53 < m0b> what should be in client /etc/resolv.conf ? 09:53 < m0b> anything special ? 09:53 < ecrist> nope 09:54 < ecrist> traceroute to an IP that's local to the vpn server. 09:54 < m0b> ok 09:54 < m0b> but 09:54 < m0b> the vpn's server's DC blocks udp * 09:54 < m0b> blocks traceroute / ping 09:55 < m0b> * * * is all i get 09:55 < m0b> for anything 09:55 < ecrist> hard to test things, then. 09:55 < ecrist> the config you've got should work - i've got a similar thing working here with many users. 09:55 < ecrist> I don't know at this point, and can't give you any more of my time this morning. 09:55 < ecrist> sorry. 09:56 < m0b> ok 09:56 < m0b> hehe 09:56 < m0b> thanks 09:56 < m0b> appreciate your time :] 10:10 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has quit [Read error: 104 (Connection reset by peer)] 10:14 -!- thrope [n=thrope@87-194-103-206.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 10:14 < SilenceGold> UDP is blocked? 10:15 < SilenceGold> sounds like DNS is too 10:15 < SilenceGold> oh 10:15 < SilenceGold> he left 10:15 < SilenceGold> heh 10:16 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has joined ##openvpn 10:17 < rickb|server> Hello, I was wondering, would it be posible to link IRC servers together witn a vpn? Just create a vpn, get each server onto the VPN and have them link internally through the VPN not just simply through the internet. 10:20 < cpm> ummm, sure. 10:20 < rickb|server> yay. :p 10:21 < rickb|server> I am trying to integrate servers and admins, making it easier for people to fix other peoples things.. Also, it would be very secure. :p 10:21 < rickb|server> The best parts about linux and the best parts about VPN's converge. :) 10:22 < cpm> VPN is a poor servant and a brutal master. Only use where you need to use. 10:23 < rickb|server> Would it be fast enough for IRC servers? I mean the only thing between servers would be the linking, clients would still connect to the public access points. 10:33 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:45 < ecrist> rickb|server: it's going to be plenty fast. 10:45 < rickb|server> :p 10:45 < rickb|server> thanks. 10:45 < ecrist> however, 10:45 < ecrist> you're better off using SSL for server linking - VPN adds an unneccessary layer of complexity. 10:46 < ecrist> especially since the servers are public, anyways. 10:46 < rickb|server> True True. 10:47 < rickb|server> A little over kill.. 10:57 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has joined ##openvpn 10:58 < ke4qqq> hey guys quick question - how do you control access to your VPNs - what I mean is that I work in a relatively tech savvy company. We maintain two vpn instances one for our machines and one for end user machines. End user machines are far less trusted. However I'd like to have a way to keep people from being able to take the .conf/.ovpn file and the certs and move them around to another machine. thoughts? 10:59 < ke4qqq> I suppose there is no way to identify a specific machine 10:59 -!- araknozzo [i=lepta@89-97-184-210.ip18.fastwebnet.it] has joined ##openvpn 10:59 < araknozzo> hi pple 11:00 < araknozzo> i have a problem 11:00 < araknozzo> i am having a server-bridge configuration 11:00 < araknozzo> but i cant rich the client or the server side of my openvpn 11:01 < araknozzo> would you help my 11:01 < araknozzo> ? 11:10 -!- araknozzo [i=lepta@89-97-184-210.ip18.fastwebnet.it] has quit ["Leaving"] 11:18 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:23 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has quit [Remote closed the connection] 11:33 < ecrist> ke4qqq: ther is 11:33 < ecrist> there* 11:33 < ecrist> use two different OpenVPN servers. 11:33 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has quit [Read error: 54 (Connection reset by peer)] 11:34 < ecrist> use two different CAs to sign the certificates. 11:35 < ke4qqq> ecrist: I have done that, but what keeps someone from copying certs/configs from one machine to another? 11:35 < ecrist> you should password protect the CAcert. 11:35 < ecrist> erm, certficate 11:36 < ecrist> don't give those users access to the certificate files. 11:36 < ecrist> also, you could add in some scripting, comparing the certificate CN to the hostname of the system connecting 11:36 < ecrist> if they don't match, drop the connection. 11:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:38 < ke4qqq> how do you deny access to the cert files? 11:38 < ke4qqq> tell me about the scripting of comparing CN to hostname 11:38 < ecrist> do these *users* have root access to the system? 11:38 < ke4qqq> assume yes 11:39 < ecrist> well, then either, 1) the users are trusted, and should behave, or 2) the machines *can't* be trusted. 11:39 < ke4qqq> the machines can't 11:40 < ecrist> you said you have trusted machines. 11:40 < ke4qqq> I should have put that word in quotes.....they are company owned machines 11:40 < ke4qqq> but they let users run around as localadmin, so they are certainly not trustworthy 11:40 < ecrist> ok, and how would the users benefit from taking the certificates from the other machines? 11:41 < ecrist> do the VPNs on those non-user machines need to be restarted often? 11:41 < ke4qqq> constantly - they are laptops 11:42 < ke4qqq> moving around 11:42 < ecrist> well, there's not much you can do, then. 11:42 < ke4qqq> and the benefit is that there are less restrictive firewall rules on the 'trusted' machine vpn 11:43 < ecrist> ke4qqq: your logic is flawed 11:44 < ecrist> if you don't have full control of a machine, you can't trust it more than a user-owned machine, given the user has the same rights. 11:44 < ecrist> your setup sounds wonky, and wouldn't be easily supported under _any_ VPN config 11:45 < ke4qqq> I agree - just trying to work with what has been thrust upon me..... 11:46 < ecrist> there's nothing you can really do. 11:46 < ecrist> other than tell the users what they can and cannot do. 11:46 < ecrist> should and should not do, rather. 11:46 < ecrist> given they have admin privs, they *can* do anything they liike 12:10 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:10 < weatherhead> hello there, I'm setting up a small vpn and getting a bit confused about routing 12:12 < weatherhead> I am trying to allow the client to connect to my LAN and access LAN services. All my local machines have IP addresses in 192.168.2.x 12:13 < weatherhead> the openVPN server is at IP address 192.168.2.102, and when someone connects they get an ip address of 10.8.0.1 12:13 < rob0> you need to look for a simple IP routing tutorial. The basic tidbit is that all routing has to be bidirectional. It's not enough for one side to know where to send to the other, if the other doesn't know how to send back. 12:14 < weatherhead> I have read through a couple of tutorials, 12:14 < rob0> Then openvpn is an excellent educational tool, it's how I learned routing. 12:14 < weatherhead> but I'm an audio geek, and have no clue about networks 12:14 < weatherhead> heh ok 12:14 < weatherhead> I've tried a few things but nothing seems to work 12:15 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 12:16 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:16 < weatherhead> sorry about that, xorg crash 12:18 < rob0> ok, anyway, reread and keep thinking about the "tidbit" I gave you. 12:18 < weatherhead> right 12:18 < rob0> "The basic tidbit is that all routing has to be bidirectional. It's not enough for one side to know where to send to the other, if the other doesn't know how to send back." 12:18 < weatherhead> so I think I have to configure it such that any traffic from anywhere on my LAN to 10.8.x.x gets routed to the openVPN server 12:18 < rob0> 99% of routing problems boil down to that 12:19 < rob0> yep 12:19 < weatherhead> which is where I hit a problem.... my router is just an off the shelf box thing 12:19 < weatherhead> which doesn't seem to do internal IP routing 12:23 < rob0> You can manually enter routes on just about any TCP/IP-enabled OS. Or, turn off DHCP on the router and manage DHCP from another box. 12:23 < pumkinhed> weatherhead: sorry to jump in late, i could scrollback, openvpn isnt running on your default gateway?? 12:24 < weatherhead> it is not 12:24 < weatherhead> I have an embedded debian box 12:24 < weatherhead> used as a NAS 12:24 < pumkinhed> ok, whats your default gateway? 12:24 < pumkinhed> linksys box? 12:24 < weatherhead> openVPN is running on this. My gateway is forwarding the ports to it 12:24 < weatherhead> no, it's some crappy edimax thing 12:24 < weatherhead> I've looked for openwrt support, and it doesn't exist... 12:25 < pumkinhed> ahh, ok, you have two options figure out how to add a route to that box, or add a route to each client 12:26 < weatherhead> do you mean client as in openVPN client, or client as in LAN client 12:26 < pumkinhed> client as in LAN client, the openvpn clients already know how to route back to your network 12:27 < pumkinhed> presumably you have an ifconfig "push options" in your openvpn config 12:27 < pumkinhed> err push "route 192.168.0.0 255.255.255.0" even 12:28 < pumkinhed> so openvpn clients are routing to you... nothing to wrry about there 12:28 < pumkinhed> are you in a domain environment? 12:28 < pumkinhed> *windows domain 12:29 < weatherhead> I have "route 192.168.2.1 255.255.255.0" 12:29 < weatherhead> I am not. There are quite a few boxes here all running either opensuse or OSX 12:29 < pumkinhed> ok, that makes it a little more difficult... you could turn the debian comp into your default gateway, and have its default gateway pointed at your edimax box.... 12:30 < pumkinhed> then the debian box will route all your network traffic appropriately 12:30 < pumkinhed> is that an option? 12:30 < weatherhead> the problem is the debian box isn't always on. 12:30 < pumkinhed> ah, are a large number of users on your LAN going to need to access the other side of the VPN? 12:31 < weatherhead> and it's pretty slow. We use the network to stream a lot of audio and video traffic, so it's not ideal if everything is going through the debian box 12:31 < weatherhead> pumkinhed: no 12:31 < pumkinhed> or are users from the VPN going to access a lot of boxes on the other side? 12:31 < weatherhead> basically, the VPN is needed so we can have just 1 or 2 remote clients on the LAN 12:31 < pumkinhed> because it would probably be easier just to add the static routes 12:31 < pumkinhed> to the servers 12:31 < weatherhead> yes that's probably easiest 12:32 < weatherhead> I can pretty quickly deploy a routing table to all the machines if I knew what worked 12:32 < pumkinhed> ie: on windows: route add 10.8.0.0 mask 255.255.255.0 192.168.1. 12:32 < weatherhead> do I need this "push" option in the openvpn conf? 12:32 < weatherhead> in front of the "route" parameter 12:33 < pumkinhed> yes 12:34 < pumkinhed> that is telling openvpn clients how to route back to your 192 network 12:34 < pumkinhed> but you need to correct it 12:34 < weatherhead> I think the first thing is, what routing table do I need on the debian box itself? it connects to the rest of the network via eth0, and the VPN is through tun0 12:36 < pumkinhed> the debian box should have the routes it needs 12:37 < pumkinhed> but it needs to be config'd to route traffic 12:37 < weatherhead> I have enabled IP forwarding 12:38 < pumkinhed> perfect 12:38 < weatherhead> its routing table only has one option at the moment 12:38 < pumkinhed> if you run netstat -nr on the debian box, you can see its routing table 12:39 < weatherhead> 0.0.0.0 gw: 192.168.2.1 mask: 0.0.0.0 12:39 < pumkinhed> what you are looking for is an entry like 10.8.0.0/24 10.8.0.2 12:39 < weatherhead> it doesn't have such an entry 12:39 < pumkinhed> if you run sysctl -a | grep forward, is forwarding 1? 12:39 < weatherhead> it is 12:40 < weatherhead> net.ipv4.ip_forward=1 12:42 < pumkinhed> ok then, manually add the route i suppose, route add -net 10.8.0.0 10.8.0.2 12:42 < pumkinhed> any experts disagree? 12:42 < pumkinhed> 12:42 < weatherhead> oh hell sorry openvpn isn't actually running atm 12:43 < weatherhead> two seconds 12:43 < weatherhead> ah it has added the route 12:47 < weatherhead> ok, I guess that route in the openVPN config file is wrong, because it'll route all the traffic to my gateway, where they will just be lost? am I right? 12:50 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:28 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 13:30 -!- dmarkey_ [n=dmarkey@79.97.241.103] has joined ##openvpn 13:30 < dmarkey_> hi, this is probably a very common question 13:31 < dmarkey_> but which is faster, tun or tap 13:33 < ecrist> heh 13:34 < ecrist> depends on what you're doing. 13:34 < ecrist> theoretically, tap is faster, with less overhead for routing and subnetting. 13:38 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:38 < dmarkey_> but is there not more layers? 13:39 < ecrist> you could get into the coding of the drivers, etc, but the difference is going to be *very* minimal 13:39 < dmarkey_> oh ok 13:40 < dmarkey_> because im having trouble with tun 13:40 < ecrist> what problems? 13:40 < dmarkey_> well, the client get an IP but cant reach the other side 13:41 < dmarkey_> doesnt matter anyway, works with tap 13:42 < ecrist> dmarkey_: most probably a routing issue. 13:42 < dmarkey_> hmm.. but all i cahnged in the config was tun/tap 13:42 < rob0> No, tun has less network overhead. 13:43 < dmarkey_> is there more configuration on the client side for tun? 13:43 < rob0> !bridging 13:43 < vpnHelper> rob0: Error: "bridging" is not a valid command. 13:43 < dmarkey_> i think it could be an issue with netbsd 13:43 < ecrist> dmarkey_: it's a routing issue 13:43 < ecrist> trust me. 13:44 < dmarkey_> rob0: im using routing and a different subnet, with tap 13:44 < dmarkey_> so im not using a bridge 13:45 < dmarkey_> oh... hmm.. if i use tun on the server, should i use tun on the clients too? 13:45 < ecrist> yes 13:45 < dmarkey_> it wont work mis matching? 13:45 < ecrist> your server and client configs need to match. 13:46 < ecrist> why do you think it would? 13:47 < ecrist> Si je parle francais, pouvez-vous me comprendre? 13:47 < ecrist> Je crois pas. 13:47 < ecrist> :) 13:48 < dmarkey_> ecrist: genious 13:49 < dmarkey_> now will i have less latency in general or will i even notice it 13:49 < ecrist> you won't notice a difference, save a misconfiguration, of course. 13:50 < dmarkey_> hmm 13:50 < dmarkey_> i think i notice some latency. or could i be imagining it? 14:09 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 14:12 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 14:17 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:22 < pumkinhed> dmarkey_: latency is probably being caused by transmission through the internet, the overhead openvpn will add during processing will be minimal by comparison 14:29 < ecrist> dmarkey_: you're not going to notice the difference between tun and tap 14:35 < pumkinhed> anyone w experience using openvpn to provide laptops connectivity back to domain? 14:35 < pumkinhed> ie, why is SMB so slow 14:36 < ecrist> pumkinhed: I'd guess it's slow remote link. 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 < pumkinhed> well, define `slow`, its high latency (100ms-200ms), ~50KB/s either direction, is that not enough 14:37 < ecrist> 100 to 200ms is pretty slow, but not unbearable. 14:38 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has quit [Client Quit] 14:38 < ecrist> 50KB's isn't exactly fast, though. 14:39 < pumkinhed> ok, i may have to force users to live with it (nice thing about openvpn is its always on, bad thing about it is that you can't force windows to dial the connection for group policy sync) 14:41 < ecrist> sounds like a plan to me. 14:42 < pumkinhed> i guess maybe the right angle to try, is to get offline files working appropriately... 14:42 < pumkinhed> when users are `online`, its quite slow, when users are `offline` its very quick 14:43 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 14:44 < aia> Is there a Privoxy channel? 14:45 < pumkinhed> maybe #tor, your guess is as good as mine 14:47 < aia> hmm 14:47 < aia> thx 15:00 * ecrist heads home 15:03 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:04 -!- dmarkey_ [n=dmarkey@79.97.241.103] has quit [Remote closed the connection] 16:10 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has joined ##openvpn 16:18 < rmull> Emergency. 16:19 < rmull> I have a remote vpn client and I had to make some changes to the DNS 16:19 < rmull> I had the remote client connecting to a.com and I had to change it to b.com 16:20 < rmull> So I made sure b.com resolved to the correct IP (same IP as a.com) and made a second conf with the new DNS entry 16:20 < rmull> And to test it I ran "openvpn second.conf" while the original VPN connection was up 16:20 < rmull> Thinking that it would just tell me it would not work, and if it did work, it would still connect to the same server and get the same info and everything 16:21 < rmull> But that's not the case. I lost connectivity. 16:21 < rmull> OMG thank you 16:21 < rmull> It came back online 16:21 < rmull> WHEW 16:21 < rmull> Lol 16:28 < SirFunk> i have 2 windows hosts connected to my open vpn network.. both get different ips.. it seems like whichever one connects later can ping the other but not visa vera 16:30 -!- K| [n=K@stgt-5d834f2c.pool.einsundeins.de] has joined ##openvpn 16:31 < K|> hi, i was following the tutorial, and couldn't quite find out what to do with 0{n}.pem and am missing so far the dh1024.pem 16:37 < SirFunk> The local and remote VPN endpoints cannot use the first or last address within a given 255.255.255.252 subnet 16:37 < SirFunk> isn't that impossible? don't .252 subnets only include 2 addresses 16:37 < SirFunk> thus they would both be first or last? 16:39 < ecrist> SirFunk: no 16:40 < ecrist> it's a /30, which gets you exactly 4 ips 16:40 < ecrist> one network, 2 host, 1 broadcast. 16:40 < SirFunk> hmm ok 16:40 < SirFunk> man openvpn on windows is frustrating 16:41 < ecrist> it shouldn't be that bad. 16:41 < ecrist> I've got 50+ year old women running it... 16:41 < SirFunk> i have 2 windows hosts... whichever one connects LATER is pingable by the other one... but it cannot ping the other one 16:41 * ecrist goes out for a beer. 16:42 -!- decoder [n=decoder@146-229-024-217.ip-addr.teresto.net] has joined ##openvpn 16:54 -!- decoder [n=decoder@146-229-024-217.ip-addr.teresto.net] has left ##openvpn ["*gone*"] 17:10 -!- K| [n=K@stgt-5d834f2c.pool.einsundeins.de] has quit [Remote closed the connection] 19:07 < ecrist> blah 19:10 < ecrist> evening, kids 19:26 < aia> hey folks 19:42 < ecrist> hola 21:12 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 21:40 -!- near [n=near@88-122-26-215.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:40 -!- near [n=near@88-122-27-106.rev.libertysurf.net] has joined ##openvpn 21:53 < aia> why am I not able to get web traffic through the vpn server? 21:54 < aia> or access the web 21:54 -!- djs [n=djs@unaffiliated/djs26] has quit ["leaving"] 21:54 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 21:56 -!- djs26 is now known as djs 21:57 -!- kaynine [i=5684dc5d@gravity.spherecarrier.org] has joined ##openvpn 22:08 < kaynine> Hi all. I'm setting up OpenVPN server on linux, with clients which include w2k; w2k seems to require dev tap which I'm comfortable with; but I don't think I need any bridging (though maybe I do). Clients can ping/smb each other, and server; but server can't ping/smb any clients. 22:10 < kaynine> Is it possible for this server to ping/smb the clients, as if it were a client itself? 22:11 < kaynine> I tried running client on the same host as server; without success. 22:13 < kaynine> While I think I'm understanding the lack of routing information from server to clients, my lan gateway easily "sees" other hosts on the same subnet, so I know I'm missing something fundamental here. 22:19 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 22:32 < mooseman447> hey 22:58 < ecrist> heya, folks 22:59 < ecrist> kaynine: with a bridging VPN, you should be able to see your VPN clients as though they are on the local LAN. 22:59 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:00 < krzee> I just realized bridging opens people up to MITM attack if 1 machine on one of the lans is compromised 23:00 < krzee> never thought of that 23:00 < krzee> although it should have been obvious 23:07 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 23:11 < kaynine> ecrist: do I need to bridge through eth* just in order to see other hosts on the tap* subnet? 23:11 < kaynine> or can I bridge to lo ? :) 23:12 < kaynine> I hadn't thought of bridging to the lo interface before; it might be the ticket. 23:17 < ecrist> kaynine: you need to bridge ethx 23:18 < ecrist> that's what the start-bridge scripts are supposed to help you with. 23:19 < krzee> haha 23:19 < krzee> bridging localhost 23:19 < krzee> so your localhost can talk to the tap... but the tap cant connect to the inet cause its not bridged to it 23:20 < kaynine> well, the bridge isn't intended to serve the clients; I don't really need or want them to have access to the eth+ interface 23:20 < krzee> you need the tap to see the network interface if you want it to do ANYTHING over the inet 23:20 < krzee> for bridging this is done with a bridge 23:20 < krzee> for routing it is done with a route 23:21 < ecrist> kaynine: for your LAN to access the VPN, you need to bridge tap0 and your LAN ethernet interface. 23:21 < ecrist> or, give up. 23:21 < ecrist> :) 23:21 < kaynine> yes, for inet access; but I'm looking mostly for secure samba filespace 23:22 < ecrist> eth != inet 23:22 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 23:25 < kaynine> I don't need to lan to access the tap hosts; I only need the localhost to access the tap clients 23:25 < krzee> dude 23:25 < krzee> there are no tap clients without bridging in an inet interface 23:25 < krzee> how do you get tap clients with no inet? 23:26 < krzee> they come from... the internet 23:26 < kaynine> yes they do 23:26 < krzee> unless your clients are connecting from localhost, in which case wtf 23:26 < krzee> they connect from localhost to localhost? 23:26 < kaynine> they connect via the inet 23:27 < krzee> then you need an inet interface bridged to tap interface 23:27 < krzee> haha 23:27 < ecrist> kaynine: your samba server needs to listen to ::1 then. 23:27 < krzee> ok when i say inet interface 23:27 < krzee> i mean network interface 23:27 < krzee> sorry if that confused you 23:27 < kaynine> before samba, ..... server 10.8.0.1 cannot ping any of the tap clients 23:28 < krzee> !logs 23:28 < vpnHelper> krzee: "logs" is please pastebin your logfile with verb set to 6 23:28 < krzee> !forget logs 23:28 < vpnHelper> krzee: The operation succeeded. 23:28 < krzee> !learn logs as is please pastebin your logfiles from both client and server with verb set to 6 23:28 < vpnHelper> krzee: The operation succeeded. 23:38 < kaynine> I now provide on vpn server, without bridging, client access to outbound gateway, and a secure channel to samba shares on the vpn server; without bridging; using tap0 23:39 < kaynine> clients can access each other for netbios over tcp shares also 23:39 < krzee> may i see your configs? 23:39 < kaynine> but the vpn server cannot ping any of the clients on tap0 23:40 < krzee> they cant ping but they can access samba shares? 23:40 < kaynine> no 23:41 < kaynine> there's no routing information to them from the tap0 server 23:41 < krzee> no kidding 23:41 < krzee> cause if you want tap (aka bridged mode) you need a bridge 23:41 < krzee> if you want routed, you want to use tun 23:41 < krzee> if its all within lan, you are using the wrong program 23:41 < krzee> this is for connecting lans 23:42 < krzee> it will not work all in the same lan 23:42 < kaynine> w2k doesn't seem to use tun 23:42 < krzee> oh windows 23:43 < krzee> please pastebin your configs 23:43 < kaynine> on some clients, yes 23:43 < kaynine> not on server 23:43 < krzee> so the server is using tun right...? 23:44 < kaynine> can I tun on server and tap on client? 23:44 < kaynine> (I think I tried that, without success) 23:46 < kaynine> you know, the traditional office ethernet lan is configured ala tap, not ala tun, with their ifconfigs 23:46 < mooseman447> hmm after a while my client disconnects and reconnects to the server and this in the client log Inactivity timeout (--ping-restart), restarting 23:47 < kaynine> krzee: I'll sleep on it ..... Thank you for caring. 23:47 < krzee> np 23:48 < krzee> maybe windows uses tap 23:48 < krzee> havnt read the windows docs in awhile 23:48 < krzee> didnt realize you meant win tap with routed when i was saying that 23:48 < kaynine> I was OK with tun until I introduced the windows clients 23:49 < kaynine> though static IP seleciton was a pain 23:52 < kaynine> as long as clients can reach each other, and the server, I probably don't need the server to connect back to the clients (i.e. for pulling backups); I'll just set up a client to do that :) 23:53 < kaynine> (it's easier for me to pull a backup from a windows client than it is for me to figure out how to get windows clients to push one/it :) 23:53 < kaynine> g'nite anyway. .... 23:53 * kaynine goes afk 23:54 < kaynine> (log on) --- Day changed Wed Aug 13 2008 00:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:28 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 00:42 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:56 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 01:15 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 01:34 < kraut> moin 02:17 < krzee> !kraut 02:17 < vpnHelper> krzee: "kraut" is moin 02:17 < krzee> heh 02:18 < krzee> i should add a plugin just to respond to kraut every night =] 02:50 -!- dmarkey [n=dmarkey@nat/ibm/x-294c1f9d2daf96a9] has joined ##openvpn 02:50 < dmarkey> hello 02:52 < krzee> hey 02:55 < m0b> hello 02:55 < m0b> i still cant get this shit to work ;[ 02:55 < m0b> i even bought a swissvpn account and that wont work either 02:56 < dmarkey> so, what can i do to lower latency in openvpn 02:56 < krzee> m0b, nice hostname! 02:56 < krzee> dmarkey, tun or tap? 02:56 < m0b> hehe thx! :P 02:57 < m0b> how did you get yours to /unaffil 02:57 < m0b> ? 02:57 < krzee> an oper that trusts you has to add it to your registered nickserv account 02:57 < m0b> oh 02:57 < m0b> i see 02:57 < dmarkey> tun, altho i can switch to tap if its faster 02:57 < krzee> dmarkey, it is slower 02:57 < dmarkey> tun is swoer? 02:58 < krzee> i woulda said tun is if you said tap 02:58 < krzee> nah tun is faster 02:58 < krzee> you use udp? 02:58 < dmarkey> yes 02:58 < krzee> good 02:58 < krzee> !mtu 02:58 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 02:58 < dmarkey> its adding about 5ms latency to my connection as it is 02:58 < krzee> if you are fragmenting after the fragmentation your MTU is set to, you will be adding extra overhead 03:00 < dmarkey> hmm.. whats the linux eq to test this 03:00 < krzee> not sure, play with it 03:00 < dmarkey> is 5ms about the norm? 03:00 < krzee> dunno 03:00 < krzee> never been concerned with it 03:00 < krzee> btw do you notice 5ms? 03:00 < krzee> even on voip you shouldnt notice 5ms 03:02 < krzee> kaynine, I was OK with tun until I introduced the windows clients 03:03 < krzee> kaynine, you were ok tunneling over the LAN? 03:16 -!- Bushmills [n=Bushmill@ip-77-25-162-229.web.vodafone.de] has joined ##openvpn 03:17 < Bushmills> g'day 03:21 < Bushmills> it appears that, when client connects to server, server open a connection to the client in return. that's what googling for error "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" (from server log) seems to indicate - found answers saying "client process doesn't listen". and in fact, i can't connect client from server under its ip, no ping, and mtr stops at a hop halfway. 03:23 < Bushmills> it appears that my provider (i'm on a mobile phone connection) blocks attempts to connect to my machine. now, is there a way i can configure openvpn client and/or server around this? 03:26 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 03:27 < krzee> hrm 03:27 < krzee> can your mobile phone connect to arbitrary encrypted websites? 03:27 < Bushmills> doesn't seem to be related to inactivity timeout, but the "refused"message is followed by one, a minute later 03:28 < Bushmills> krzee, https? yes. 03:28 < krzee> try using tcp and port 443 on your server 03:28 < Bushmills> krzee, this is actually a linux computer with an umts modem 03:28 < krzee> i dont usually recommend tcp 03:28 < krzee> but sometimes you have no choice 03:28 < krzee> !tcp 03:28 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 03:29 < Bushmills> ok, will try 03:29 < krzee> this could be one of those sometimes 03:29 < krzee> also 03:29 < krzee> try udp 53 03:29 < krzee> assuming you can directly query an arbitrary NS 03:29 < Bushmills> there's a dns running on the openvpn server 03:29 < krzee> some admins are lazy in their blocking 03:29 < krzee> ahh 03:29 < Bushmills> and i'm the server admin 03:29 < krzee> not server admin 03:29 < krzee> firewall admin 03:29 < Bushmills> also firewall admin 03:29 < krzee> assuming thats whats stopping you 03:30 < Bushmills> no. server side is ok, works with other machines 03:30 < krzee> it appears that my provider (i'm on a mobile phone connection) blocks attempts to connect to my machine. now, is there a way i can configure openvpn client and/or server around this? 03:30 < krzee> that firewall admin 03:30 < krzee> the one you just said you suspect is blocking it 03:30 < krzee> hehe 03:30 < Bushmills> ah. provider router, not openvpn client/server, you mean? 03:30 < krzee> if hes lazy maybe udp 53 (which you cant use anyways) 03:31 < dmarkey> can i use tun on windows? 03:31 < Bushmills> because on provider router mtr stops 03:31 < krzee> if not, maybe tcp 443 03:31 < krzee> !windows 03:31 < Bushmills> yeah, i'll try 443, because the web server on openvpn machine has no https enabled 03:31 < vpnHelper> krzee: Error: "windows" is not a valid command. 03:31 < krzee> bleh i should add one for that 03:33 < dmarkey> yup 03:35 < dmarkey> ok, so you can use tun, but one still has to install the tap driver? 03:37 < krzee> from what im seeing 03:37 < krzee> seems windows does routed over tap 03:37 < krzee> im really outta the windows loop 03:38 < dmarkey> hmm.. it would have been handy to not have to install the tap driver 03:38 < krzee> why? 03:40 < krzee> !learn new as http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:40 < vpnHelper> krzee: The operation succeeded. 03:40 < krzee> err 03:40 < krzee> !forget new 03:40 < vpnHelper> krzee: The operation succeeded. 03:40 < krzee> !learn vpn as http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:40 < vpnHelper> krzee: The operation succeeded. 03:43 -!- kaushal [n=kaushal@bbs.webaroo.com] has joined ##openvpn 03:43 < kaushal> hi 03:43 < krzee> heh busy night 03:43 < kaushal> krzee, hi 03:43 < krzee> hey 03:44 < krzee> only here for a few min then back to the movie 03:44 < krzee> whats goin on 03:44 < kaushal> I am using Ubuntu 8.04 Linux 03:44 < kaushal> every time when i need to connect to Open VPN Server 03:44 < kaushal> I need to add the route command 03:45 < Bushmills> kaushal, server can push routes to client 03:45 < krzee> server and client both on ubuntu? 03:45 < kaushal> sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 03:45 < krzee> you do that on client? 03:45 < kaushal> yeah 03:45 < krzee> look at push command 03:46 < krzee> you can push the route 03:46 < krzee> (like Bushmills said) 03:46 < kaushal> Bushmills, is it possible on the client side 03:46 < Bushmills> kaushal, on the client side is what you do now 03:46 < krzee> the server config pushes to client 03:47 < krzee> for automation 03:47 < krzee> that way server controls things 03:47 < Bushmills> kaushal, but instead, you can ask server to instruct client to do that instead 03:47 < kaushal> ok 03:47 < kaushal> Bushmills, what will be the command syntax 03:47 < kaushal> on the server side 03:48 < kaushal> based on sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 03:48 < Bushmills> kaushal, i forgot. push-route .... or push ... 03:49 < Bushmills> kaushal, for example: push "route 78.47.17.170 255.255.255.255" 03:49 < Bushmills> that's for one single address, not a net 03:50 < kaushal> Bushmills, It works fine for windows client 03:51 < kaushal> only on Linux client I have the issue 03:51 < Bushmills> i never tried that on windows, but it works fine with linux here 03:51 < krzee> just like the route command, but you push it 03:51 < krzee> you can push a lot of commands 03:52 < krzee> man page has a few examples 03:52 < kaushal> is that possible from client side 03:52 < kaushal> that was my concern 03:52 < krzee> as Bushmills said 03:52 < krzee> you already do it on client side 03:52 < kaushal> since i dont have access to the server 03:52 < kaushal> on Client side 03:53 < krzee> put your command in a -up script then 03:53 < kaushal> ok 03:53 < krzee> or try the route command in client config 03:53 < krzee> ild expect it to work 03:53 < kaushal> krzee, please give me a moment 03:54 < krzee> seeing as pushed options make the command seem to be in the client config 03:54 < kaushal> krzee, i dont have up script under /etc/openvpn 03:54 < krzee> read docs 03:54 < krzee> they are your friend 03:54 < krzee> !howto 03:55 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:55 < krzee> !google 03:55 < vpnHelper> krzee: (google [--{language,restrict} ] [--{notsafe,similar}]) -- Searches google.com for the given string. As many results as can fit are included. --language accepts a language abbreviation; --restrict restricts the results to certain classes of things; --similar tells Google not to filter similar results. --notsafe allows possibly work-unsafe results. 03:55 < kaushal> I have only update-resolv-conf 03:55 < krzee> heh, dog 03:55 < krzee> doh 03:55 < krzee> yes, you make your own up script 03:55 < krzee> read docs for info 03:55 < krzee> man page is good too 03:55 < kaushal> krzee, if you can give me an example that would be helpful 03:55 < krzee> ild rather point you in the right direction than do it for you 03:55 < kaushal> i have read all the docs 03:56 < krzee> obviously not the part on up scripts 03:57 < krzee> !learn man as http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 03:57 < vpnHelper> krzee: The operation succeeded. 03:58 < krzee> --up cmd 03:58 < krzee> Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel. 03:58 < krzee> Typically, cmd will run a script to add routes to the tunnel. 03:58 < krzee> i swear its not hard 03:58 < krzee> heh 03:59 < krzee> and command that can be passed via -- can be added to config 03:59 < krzee> up "sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0" 03:59 < krzee> fine you got me to do it 03:59 < krzee> =[ 04:00 < kaushal> krzee, thanks for you patience 04:00 < krzee> all cause of missing rar files in my movie im redownloading =/ 04:00 < kaushal> where do i add this 04:00 < krzee> you're welcome 04:00 < kaushal> I mean up "sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0" 04:00 < krzee> sorry im kinda short, havnt gotten much sleep last couple days 04:01 < krzee> in your client config 04:01 < kaushal> krzee, i completely agree with you 04:01 < kaushal> I dont have anything under /etc/openvpn/ 04:01 < krzee> huh? 04:02 < krzee> open your client config file 04:02 < krzee> and add the line 04:02 < krzee> if you dont have a client config file, then you have some work to do! 04:03 < Bushmills> krzee, going through tcp 443 looks better, no more err 111. but a new one: server log says now "SIGUSR1[soft,connection-reset] received, client-instance restarting". no sign of any log or reason for sigusr1 on client. 04:03 < kaushal> krzee, is it update-resolv-conf 04:03 < krzee> Bushmills 04:03 < krzee> !logs 04:03 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:03 < krzee> kaushal, dude 04:04 < krzee> if you dont know where your client config is, i cant hel you 04:04 < krzee> help 04:04 < krzee> your openvpn configuration file 04:04 < krzee> yanno, the one you setup so you can run openvpn... 04:04 < krzee> haha 04:04 < krzee> looks something like this... 04:04 < krzee> !configs 04:04 < vpnHelper> krzee: Error: "configs" is not a valid command. 04:04 < krzee> !sample 04:04 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:05 < kaushal> krzee, i am used Network Manager under ubuntu 04:05 < krzee> oh dude 04:05 < krzee> good luck 04:05 < kaushal> to configure openvpn 04:05 < krzee> mail list is full of examples of that sucking 04:05 < krzee> i personally have not and will not try that or learn about it 04:05 < krzee> so ya, best of luck to ya there 04:06 < dmarkey> can i get a server to listen on both udp and tcp 04:06 < krzee> by running 2 instances of openvpn 04:06 < krzee> @ dmarkey 04:07 < dmarkey> can they use the same keys etc? 04:07 < krzee> sure 04:07 < dmarkey> and the same tun and subnet? 04:07 < krzee> just dont let them overlap ips they hand out 04:07 < krzee> and you're fine 04:08 < dmarkey> ok thanks 04:08 < krzee> np =] 04:08 < Bushmills> krzee, http://scarydevilmonastery.net/ovpn.log 04:09 < Bushmills> server log, after starting openvpn on client. both tcp/443 04:09 < krzee> Bushmills, and other log? 04:09 < krzee> "from both client and server" 04:09 < krzee> time is running out 04:09 < krzee> download finished 04:09 < krzee> unrar'ing 04:09 < Bushmills> i don't seem to have any client side log 04:10 < krzee> you should prolly fix that... 04:11 < Bushmills> prolly. new machine, a netbook. openvpn preinstalled, fedora. not done a lot on customizing yet 04:11 < Bushmills> just grepped for ovpn through logs 04:11 < krzee> well ya edit your client config file to your needs 04:11 < krzee> !sample 04:11 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:12 < krzee> lol i seem to not be specifiying a logfile on my client either 04:12 < krzee> *shrug* 04:12 < krzee> does is output to /var/log/messages? 04:13 < krzee> i dont use fedora 04:13 < krzee> btw 04:13 < Bushmills> neither do I, usually 04:14 < krzee> trying to run something without configuring it really is asking for problems 04:14 < Bushmills> i took over a known good client config from another client, modded it 04:14 < krzee> ah werd 04:14 < krzee> well find logs 04:14 < krzee> they will lead you 04:14 < krzee> google will help 04:15 < krzee> assuming my movie works this time 04:15 < krzee> yay finally got past rar18 04:16 < krzee> but ya, specifiy a log in config file will be the easy way 04:16 < krzee> as seen in my server config file 04:16 < krzee> adios, movie time 04:16 < krzee> (again) 04:36 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 04:39 < kaushal> krzee, hi again 04:40 < kaushal> krzee, yt ? 05:12 -!- edeca [n=david@emo.two-pebbles.com] has left ##openvpn [] 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:49 -!- onre [i=esp@static.fi] has joined ##openvpn 05:49 < onre> hiya. anyone ever set up openvpn on a solaris 10 box with multiple zones? 05:50 < onre> i sort of did just that but i can't access zones other than the global zone on the host running sol10. 05:51 < onre> the vpn addresses are in 10.0.1.0/24 space, whereas the zones live in 10.0.0.0/24. i can ping 10.0.0.1, which is the global zone, and login via ssh, but i can't do same for 10.0.0.2 which is another zone in the same host. 06:13 < krzee> never heard of it being done but if you get it working and dont mind making a little writeup of how ill add it to the bot for the next people 06:14 < cpm> what on earth do you mean by 'zones' ? 06:15 < cpm> what you describe is multiple subnets 06:15 < cpm> !iroute 06:15 < vpnHelper> cpm: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 06:16 < krzee> virtual machines kinda 06:16 < cpm> ah, okay. 06:16 < krzee> Zones 06:16 < krzee> Zones provide a new isolation primitive for the Solaris OS, which is secure, flexible, scalable and lightweight: virtualized OS services which look like different Solaris instances. Together with the existing Solaris Resource management framework, Solaris Zones forms the basis of Solaris Containers. 06:16 < cpm> right right. 06:16 < cpm> okay, I thought you were talking some kinda strange alien solaris speak for subnetting or something. yes, I remember zones. 06:17 < cpm> cool stuff 06:18 < cpm> I think you need to review the routing table for all your zones, can they see the vpn netblocks? 06:18 < cpm> if the vpn can see them, but they can't see the vpn, well, 06:19 < krzee> http://article.gmane.org/gmane.network.openvpn.user/23575 06:19 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 06:19 < krzee> that person seems to have gotten openvpn working in zones 06:19 < krzee> not sure if they can help 06:19 < krzee> (on the openvpn mail list the other day) 06:20 < cpm> solaris people are weird 06:20 < cpm> :) 06:20 < krzee> hey, they gave us ZFS 06:20 * krzee respects 06:21 < cpm> they are still weird 06:21 < krzee> haha 06:22 < krzee> ya and its mainly PJD that brought it to fbsd 06:22 < krzee> so most that respecting goes to him! 06:22 < cpm> yeah, I have a secret respect for them too, in their ivory towers, with their monolithic architectures, and no linux-creeps to annoy them, trying to NT-ise their clean environments, 06:22 < krzee> lol 06:23 < krzee> *cough*ubuntu*cough* 06:23 < cpm> Egg-zactly. 06:23 < cpm> although RH-esque stuff is pretty near as bad 06:23 < krzee> damn man its 7:30am again 06:23 < krzee> i need to adjust my sleep schedule hah 06:23 < cpm> When was the last time you saw a solaris environment? 06:23 < krzee> hah 06:23 < krzee> no time recent 06:24 < cpm> been a few years, and i was poking around as root, stunned, 'man, it's so /clean/ !' 06:24 < krzee> i think i had an irix box more recent than i seen solaris 06:24 < krzee> lol 06:25 < krzee> aight, shower/bed 06:25 < krzee> nite 06:28 < onre> cpm, zones are a solaris feature... 06:28 < onre> as someone already explained. :/ 06:29 < onre> thanks for replies, though :) reading the gmane url... 06:30 < krzee> !google openvpn solaris zones 06:30 < vpnHelper> krzee: http://blog.pebcak.de/archives/697-BrandZ-Linux-inside-a-Solaris-Zone.html - BrandZ - Linux inside a Solaris Zone - Doomshammer's Weblog 06:30 < krzee> bleh it skipped the one i wanted 06:30 < krzee> Solaris 10 + OpenVPN (tun/tap) 06:30 < krzee> Looks like tun interface *must* be in a global zone, ... (comp.unix.solaris); Re: [SLE] openvpn ... On Thu, 16 Oct 2003 11:10, Paul Alfille wrote: . ... 06:31 < krzee> http://www.google.com/search?hl=en&q=openvpn+solaris+zones&btnG=Google+Search 06:31 < vpnHelper> Title: openvpn solaris zones - Google Search (at www.google.com) 06:31 < onre> yea, you can't do much anything with interfaces in zones other than the "global" zone 06:31 < onre> or routes 06:32 < krzee> then you prolly cant do it, but if you figure out a way pls do report 06:32 < onre> yup... when i set up routes in the global zone, those get inherited into other zones, though 06:32 < cpm> oh, it's got to be doable. 06:32 -!- Bushmills [n=Bushmill@ip-77-25-162-229.web.vodafone.de] has quit [Remote closed the connection] 06:32 < onre> yea, i'm sure someone has got this to work :) 06:33 < krzee> umm 06:33 < krzee> if routes must be made in global 06:33 < krzee> why not route the other zones through the vpn that is setup on global zone? 06:34 < krzee> seeing as they get inherited 06:35 < dmarkey> onre: are you on sparc or x86? 06:35 < onre> x86. 06:36 < onre> on the routing suggestion - what you mean by "through the vpn"? 06:49 < onre> also, is it normal for the endpoint ip of the link to be not pingable? 06:50 < onre> that is, when i connect from the laptop, i can ping this host using 10.0.1.1, but not 10.0.1.5 which is windows' idea of gateway to other 10.0.x networks 07:14 < ecrist> morning, kids 07:15 < rmull> morning ecrist 07:24 < ecrist> onre: that's normal 07:25 < cpm> morn'n ecrist 07:26 < onre> thanks. after some extensive use of snoop(1M), i'm almost certain now that i'm somehow failing with convincing the solaris box to actually forward the packets 07:28 -!- nantes_geek [n=nantes_g@ARouen-153-1-67-239.w90-17.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 08:20 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 08:25 < kaynine> krzee: I'm solved ! 08:26 < kaynine> needed to remove the SNAT routing in the servers nat table /g 08:27 < kaynine> Postit: "90% of the time its a firewall issue" :) 08:48 < ecrist> kaynine: correction "90% of the time, it's a firewall or routing issue." 08:49 < kaynine> :) 08:49 < kaynine> So I have the foundation I sought, and from which to build one step at a time. 08:52 < kaynine> tap ... no bridging 08:53 < kaynine> options to deploy: bridging, and redirecting gateway 08:54 < kaynine> and tuning :) 08:54 < ecrist> tap is the bridging interface, properly configured, of course. 08:55 < kaynine> right; I won't try bridging with tun 08:55 < kaynine> but tap certainly doesn't require a bridge 09:14 -!- kaushal [n=kaushal@bbs.webaroo.com] has quit ["Leaving"] 09:21 < dmarkey> does anyone know where i could get support for racoon? 10:06 < ecrist> people still use that? 10:12 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has joined ##openvpn 10:12 -!- decoder [n=decoder@mordor.cs.uni-sb.de] has left ##openvpn ["*gone*"] 10:44 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 10:45 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 10:45 < harpal> Hey when I start openvpn it shows me TUN/TAP support is not available in this kernel. whats meaning of that? I have TUN/TAP in kernel 10:47 < ecrist> can you pastebin the error? 11:11 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:11 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 11:13 -!- bandini [n=bandini@host161-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 11:14 < harpal> ecrist: sorry I was not at desk. complete error? 11:18 < ecrist> of course 11:22 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:23 < mooseman447> would it make since to alter my /etc/init.d/openvpn to run bridge-start before openvpn starts? 11:29 < ecrist> folow the how to, and you'll be fine. 11:29 * ecrist is out for lunch. 11:36 < harpal> ecrist: ok 11:43 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 11:52 -!- bandini [n=bandini@79.31.110.236] has joined ##openvpn 11:59 -!- harpal [n=Harpal@122.169.108.195] has quit [Connection timed out] 12:06 -!- b3nj [n=legeek@ANancy-257-1-122-163.w90-40.abo.wanadoo.fr] has joined ##openvpn 12:20 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 12:31 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 12:32 * ecrist is back. 12:32 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:33 < weatherhead> hello 12:36 < weatherhead> I am still having routing problems :-$ 12:38 < ecrist> what problems? 12:38 < weatherhead> I'm trying to set up openVPN on my LAN 12:39 < weatherhead> I have a router at 192.168.2.1, and the openVPN server is running on a debian box at 192.168.2.102 12:39 < weatherhead> I'm not able to set up routing tables on the gateway, so I'm setting routing tables individually on all the clients 12:40 < ecrist> that's not the most efficient 12:40 < ecrist> can you share your configs, via pastebin? 12:43 < weatherhead> ecrist: how would you suggest doing it? 12:44 < ecrist> can you share your configs, via pastebin? 12:44 < weatherhead> I have decided to start again from scratch with the routing and thought I'd ask on here 12:44 < weatherhead> so, ummm, no not really. I can post the openvpn config, but that doesn't seem to be the problem. Client can connect without issues 12:44 -!- b3nj [n=legeek@ANancy-257-1-122-163.w90-40.abo.wanadoo.fr] has quit ["Leaving"] 12:45 < ecrist> ok, I don't doubt they can connect, it will help me assist you with your routes. 12:46 < weatherhead> ok which config files would you like me to paste 12:47 < ecrist> server 12:47 < weatherhead> ok coming up 12:47 < ecrist> that's the only one I need to see. 12:47 < m0b> ecrist 12:47 < ecrist> m0b 12:47 < m0b> i got a swissvpn account and still have trouble but ive had it working before 12:47 < m0b> isnt there something like a route command for routing the gateway thru the vpn 12:48 < m0b> i must be missing something ;/ 12:48 < ecrist> push 'redirect-gateway' on the server. 12:48 < m0b> i habve that 12:48 < ecrist> that should be all you need. 12:49 < weatherhead> http://www.pastebin.ca/1170025 12:55 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 12:56 < ecrist> lol 12:57 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 12:58 < ecrist> weatherhead: is this for a single connection VPN? 12:58 < weatherhead> yes it is 12:58 < weatherhead> just wanting a single remote administrator to be able to connect 12:58 < ecrist> and, your client connects, and you get an IP, rights? 12:58 < ecrist> right* 12:58 < weatherhead> the client connects and is able to ping 10.8.0.1 12:59 < weatherhead> and 10.8.0.2 12:59 < ecrist> what's the client's IP address? 12:59 < ecrist> also, your push route is wrong, it should be 'push route 192.168.2.0 255.255.255.0' 13:00 < weatherhead> oh ok 13:00 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 13:01 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 13:01 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:02 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 13:02 < weatherhead> sorry, my damn X server keeps crashing 13:02 < weatherhead> could you repeat your last 13:03 < ecrist> also, your push route is wrong, it should be 'push route 192.168.2.0 255.255.255.0' 13:03 < weatherhead> ok I have changed that 13:03 < ecrist> what's the client's IP address? 13:03 < ecrist> VPN IP, that is. 13:03 < weatherhead> you mean intenet IP address? 13:04 < weatherhead> isn't it 10.8.0.1? isn't that what the config says 13:04 < ecrist> I'm not asking what the config says, what is the IP address that the client gets. 13:04 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:04 < aia> oh hello there 13:04 < weatherhead> 10.8.0.1 13:05 < ecrist> ok, now, is that client able to ping the LAN? 13:05 < weatherhead> no, except 10.8.0.2 13:05 < ecrist> are you forwarding packets on the server? 13:05 < ecrist> what OS is the server? 13:06 < weatherhead> the server is running debian PPC 13:06 < weatherhead> IP forwarding is enabled 13:07 < ecrist> ok, is the VPN client able to ping the other IPs on the VPN server? 13:07 < weatherhead> I was told that nothing would work, because the machines the packets are being sent to have no idea where to respond 13:07 < weatherhead> I don't understand, sorry 13:07 < ecrist> what IPs are on the server? 13:07 < ecrist> aia - hi. 13:07 < aia> Just curious 13:07 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 13:08 < aia> I have my vpn network setup yet I'm not getting any web traffic through, why is that the case? 13:08 < aia> I can connect to rdp fine, etc, etc, but no web traffic 13:08 < weatherhead> the server is at IP 192.168.2.102 13:08 < ecrist> can the VPN ping that IP address? 13:09 < weatherhead> no 13:09 < ecrist> then you don't have IP forwarding setup correctly. 13:10 < weatherhead> ok 13:10 < ecrist> if you have that configured, the VPN will be able to ping all the IPs on the server. 13:10 < ecrist> unless there's a firewall you're not telling me about. 13:10 < weatherhead> there is no firewall except on the internet router 13:11 < weatherhead> if i do cat /proc/sys/net/ipv4/ip_forward I get 1 13:11 < ecrist> *shrug* 13:11 < ecrist> all I know. 13:12 < ecrist> ;) this isn't #debian 13:12 < weatherhead> ok I will try and get that working 13:13 < ecrist> aia: are you doing bridged, routed? 13:14 < aia> let me see 13:18 < aia> I have an ethernet tunnel it's not routed 13:19 < aia> dev tap is enabled not dev tun 13:20 < ecrist> ok, is your remote internet gateway allowing web traffic from the VPN, and NATting correctly? 13:20 < aia> There is no NAT 13:20 < aia> it should be... 13:21 < aia> it's on a deadicated server 13:25 < ecrist> aia, you're assigning your VPN users internet-routable IPs? 13:26 < aia> I do not have server-bridging enabled... 13:26 < aia> what do you mean I don't fully understand. 13:26 < ecrist> please pastebin your vpn config 13:27 < ecrist> the server config, that is. 13:31 < aia> okay 13:34 < aia> http://pastebin.com/d7e131e1f 13:34 < ecrist> looking... 13:34 < aia> thanks 13:35 < ecrist> ah 13:35 < ecrist> so, your VPN clients are being given 10.8.0.0/24 internet addresses, which doesn't route across the internet, you need to nat your VPN clients to your public internet address. 13:36 -!- mooseman447 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has joined ##openvpn 13:36 < weatherhead> ecrist: I am pretty sure IP forwarding is working now, but my client still can't pin 192.168.2.102 13:36 < weatherhead> what should the routing table of the openVPN server look like? 13:37 < ecrist> weatherhead: can I see the client config, too, please? 13:37 < weatherhead> yes, two minutes, I will get him to send it to me 13:37 < aia> ecrist: I'm sorry but how would I do that? 13:37 < ecrist> what operating system in on the server? 13:38 < aia> Windows 2003 server 13:39 < ecrist> aia, you need to setup NAT on the Windows 2003 server. 13:39 < ecrist> however, you're not pushing a new gateway, so I don't know why you're having web browser problems. 13:44 < aia> hmm 13:44 < aia> I just would like to web traffic go through the vpn as well 13:46 * cpm believes in pushing all traffic through the vpn. 13:47 < ecrist> cpm, that's not always a good idea, or necessary. 13:48 < aia> cpm: I'm not saying all traffic per se but the web traffic and a few applications 13:48 < ecrist> aia, you need to add "push 'redirect-gateway'" to your config, and setup proper NAT for VPN outbound traffic on your Win2k3 box, then. 13:49 < ecrist> the latter topic is not generally supported here. 13:49 < ecrist> #windows can probably help you. 13:49 < aia> understood 13:49 < aia> Thank you for your help 14:11 < cpm> ecrist, not too sure I agree. If you have a vpn client that is multihomed, you've -de facto- compromised your lan. 14:11 < ecrist> cpm, sure, in some regards. 14:11 < ecrist> there is the bandwidth consideration to be considered, however. 14:11 < cpm> sure. 14:12 < ecrist> many homes have broadband >= that of the remote VPN server. 14:12 < ecrist> you get a p2p setup trying to operate over that, and you're in a pickle. 14:12 < ecrist> not worth the headache, imho. 14:12 < cpm> but this is a case of convenience of pr0n vs having a vpn in the first place. vpn > pr0n in priority. 14:12 < ecrist> and, really, as soon as you put an end-user on your LAN, you've -de facto- compromised your lan. 14:13 < ecrist> I'm not saying pr0n in the convenience, it's a problem for the remote LAN. 14:13 < cpm> agreed. Machines you don't have a high level of control over shouldn't have access to the nice soft chewy lan. 14:14 < cpm> now, if you are talking a vpn bridge, different considerations take place. 14:14 < ecrist> for example, my cable connection at home is 2Mb up, 10Mb down, with 5/50 available (comcast, mpls, ftw) 14:14 < weatherhead> ecrist: this is the client confi 14:14 < weatherhead> http://pastebin.com/d98adb11 14:14 < ecrist> that's FAR greater than my 1.5Mb connection on the office pipe. 14:15 < ecrist> could I use pf/ALTQ to shape VPN traffic, sure. But then the remote LAN becomes unusable. 14:15 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:15 < cpm> ecrist, yes. And when you are logged in to do work, work is what you should be doing. If you need pr0n, and it's not on your file server, , well, you just have to wait until the vpn is down. 14:15 < cpm> ecrist, what is the internet for? 14:15 < ecrist> cpm - a lot of people maintain a semi-permanent connection to the VPN. 14:15 < weatherhead> to quoth a great broadway musical, the internet is for pr0n 14:16 < cpm> weatherhead ++ 14:17 < cpm> ecrist, so in essence, you have a hole to the intarwebs outside your corporate edge firewall. 14:17 < ecrist> sure. 14:17 < cpm> this is less than optimal 14:17 < ecrist> *but* my VPN endpoint is behind it's own firewall. 14:17 < ecrist> 99% of what we do via VPN is through ssh, so I'm not too concerned. 14:18 < ecrist> the other 1% is jabber/irc/intraweb 14:18 < cpm> so, your vpn endpoint is in a firewalled dmz? 14:18 < ecrist> yep 14:18 < cpm> with no internal lan bridging? 14:18 < ecrist> yep 14:18 < cpm> makes sense. 14:19 < ecrist> the VPN isn't a fool-proof be-all security solution. 14:19 < ecrist> it's designed to simply be _another_ layer of security. 14:20 < weatherhead> ecrist: does that client config look ok to you? 14:20 < ecrist> weatherhead: sorry, didn't look 14:20 < weatherhead> ok 14:20 < weatherhead> http://pastebin.com/d98adb11 14:20 < weatherhead> there it is 14:20 < ecrist> looking... 14:20 < weatherhead> ok 14:21 < ecrist> :\ 14:21 < ecrist> weatherhead: you have mis-matched tun/tap devices. 14:21 < weatherhead> ?? 14:21 < weatherhead> I have tun on both ends 14:21 < ecrist> http://pastebin.com/d7e131e1f <-- look to line 52 14:22 < weatherhead> that is not my config file 14:22 < ecrist> oh, that must be aia's 14:22 < weatherhead> yes 14:23 < weatherhead> http://www.pastebin.ca/1170025 14:23 < weatherhead> that is my server conf 14:23 < ecrist> ok, on the client, do you see a route for the 192.168.2.0/24 network? 14:23 < weatherhead> I will ask him :-) 14:26 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 14:26 < ecrist> Elvis is dead. 14:27 * ecrist sets mode +b ##openvpn *!?=Elvis@* 14:27 < ecrist> :] 14:29 < weatherhead> ecrist: the route is not there 14:29 < ecrist> weatherhead: that's why pings are failing. 14:29 < ecrist> route add 192.168.2.0/24 10.8.0.2 14:29 -!- Tex-Twil_ [n=Elvis@unaffiliated/textwill/x-3280] has joined ##openvpn 14:29 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit [Client Quit] 14:29 < ecrist> pings should work fine. 14:30 < ecrist> Elvis is dead. 14:30 < weatherhead> ecrist: that is a command for windows isn't it? 14:30 < cpm> isn't! 14:30 < cpm> take it back! 14:30 < ecrist> Elvis is dead. 14:30 < ecrist> Elvis is dead. 14:30 < ecrist> Elvis is dead. 14:30 < ecrist> :P 14:30 -!- Tex-Twil_ is now known as Tex-Twil 14:30 < ecrist> weatherhead: I think that works on windows, yeah. 14:30 < weatherhead> well I'm on debian 14:30 * ecrist beats weatherhead 14:31 < weatherhead> hehehe sorry 14:31 < ecrist> that's a unix command too, doofus 14:31 < weatherhead> ok 14:31 < weatherhead> I know little to nothing of networks, 14:32 < weatherhead> I can configure NFS and that is about it 14:32 < ecrist> weatherhead: can I see a more current copy of your server config, please? 14:33 < weatherhead> ecrist: it's working now :-D since the client manually added the route 14:34 < weatherhead> oh, actually it isn't working, but he can now ping 192.168.2.102 14:34 < weatherhead> which is a start I guess. I'm pasting new server config file 14:36 < weatherhead> http://pastebin.com/d6f7f5a72 14:36 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 14:40 < ecrist> weatherhead: that's a start. 14:40 -!- kralor [n=kralor@hackincorp.net] has left ##openvpn [] 14:40 < ecrist> now, you need to tell your remote default gateway to route 10.8.0.0/24 to 192.168.2.102 14:41 < ecrist> that way, machines on the LAN will work. 14:41 < weatherhead> ecrist: that's not doable 14:41 < ecrist> why not? 14:41 < weatherhead> the default gateway is a dumb router 14:41 < ecrist> weatherhead: most dumb routers can add static routes. 14:41 < weatherhead> hence why I was originally going to add routing tables to every LAN client 14:41 < ecrist> what kind of router isi t? 14:41 < weatherhead> ecrist: by dumb router, I mean dumb consumer grade router 14:42 < weatherhead> it's some edimax thing 14:42 < ecrist> weatherhead: if you're doing that, why not setup bridged and give the VPN a LAN IP? 14:42 < weatherhead> oh...... only because the tutorial said routed was better :-p 14:42 < weatherhead> but yes that sounds an awful lot simpler 14:43 < weatherhead> does that mean using TAP instead of TUN 14:44 < ecrist> yes, tap instead of tun. 14:45 < weatherhead> ok 14:45 < ecrist> plus, you need to run the bridging scripts on the server. 14:45 < weatherhead> right 14:45 < weatherhead> is there a tutorial for me to look at? 14:45 < ecrist> !howto 14:45 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:46 < weatherhead> ok am looking 14:46 < weatherhead> ok 14:47 < weatherhead> so which way will be better for me, allowing my DHCP server to give out IPs or making the VPN server to IPs 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 < ecrist> I'd just allow your DHCP server do it. 14:47 < weatherhead> ok 14:55 -!- mooseman447 [n=mooseman@pool-72-92-98-52.phlapa.east.verizon.net] has quit ["Leaving"] 14:57 -!- Tex-Twil [n=Elvis@unaffiliated/textwill/x-3280] has quit ["Quit"] 14:58 < harpal> ecrist: Hi, I have in log only TUN?TAP support is not available in this kernel 14:58 < ecrist> harpal, compile it in. 14:58 * ecrist goes home. 14:58 < ecrist> I 14:58 < ecrist> 'll be online from there. 14:58 < harpal> ecrist: but where can I find it in kernel 14:59 < harpal> I Searched that but it shows one module and its enabled 15:23 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Remote closed the connection] 15:39 * ecrist is home 15:42 < ecrist> harpal: have you looked on google or the openvpn howto for that error? 16:00 -!- harpal [n=Harpal@122.169.108.195] has quit [Connection timed out] 16:36 -!- harpal [n=Harpal@121.246.75.165] has joined ##openvpn 16:36 < harpal> ecrist: hey have you reached home? are you around? 16:52 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 16:52 < weatherhead> ecrist: are you there? 16:57 < harpal> weatherhead: I dont think. I am also searching for him 16:59 < weatherhead> ok 17:01 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Read error: 60 (Operation timed out)] 17:18 < ecrist> I'm here now. 17:20 < ecrist> going once... 17:23 < ecrist> going twice... 17:25 < harpal> ecrist: hey 17:25 < harpal> Can you tell me what should I do? 17:26 < ecrist> harpal: have you looked on google or the openvpn howto for that error? 17:26 < harpal> in openvpn howto there is not such error I dound 17:27 < ecrist> and google? 17:28 < harpal> ecrist: tried google but not found solution of that 17:28 < ecrist> can you tell me the 'exact' error? 17:30 < harpal> ya its TUN/TAP support is not available in this kernel 17:30 < ecrist> that's verbatim? 17:31 < ecrist> and you're using debian? 17:31 < ecrist> what version 17:32 < harpal> ecrist: no I am using gentoo 17:33 < harpal> I have same error in my log also. nothing more 17:33 < ecrist> and you have tun/tap enabled in your kernel? 17:33 < ecrist> see if this helps you: http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 17:33 < vpnHelper> Title: Gentoo Linux Howtos: openvpn -> openvpn install (at gentoo.linuxhowtos.org) 17:33 < ecrist> I've got to go again for a while. 17:34 < ecrist> !learn gentoo http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 17:34 < vpnHelper> ecrist: Invalid arguments for learn. 17:34 < ecrist> !learn gentoo http://gentoo.linuxhowtos.org/openvpn/openvpn.htm foo 17:34 < vpnHelper> ecrist: Invalid arguments for learn. 17:34 < ecrist> fucking bot 17:34 * ecrist kicks vpnHelper 17:35 < harpal> hey thanks. I am just checking that. 17:46 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 145 (Connection timed out)] 17:55 -!- Pavel [n=pavel@207-180-185-17.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com] has joined ##openvpn 18:04 < harpal> ecrist: Hey thanks its working fine. I solved error. I have enable anoter module of TUN/TAP which is not required. now I rebuild kernel and its working fine 18:19 < Pavel> Hello. Following the HowTo, I am "almost there" getting a VPN to work on a Debian server and client, with the client being behind a NAT firewall. The client connects to the server and everything initializes successfully. However, I cannot ping the the server, and when I try to, the server gives repeated "MULTI: bad source address from client [NAT.public.address.here], packet dropped" messages, and there is no reply, alth 18:19 < Pavel> ough there is DNS resolution. 18:21 < Pavel> Never mind... 18:21 < Pavel> I think I understand. 18:35 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has joined ##openvpn 18:51 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 18:53 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 19:06 -!- Pavel [n=pavel@207-180-185-17.c3-0.sbo-ubr1.sbo.ma.cable.rcn.com] has quit ["Client exiting"] 19:28 -!- SilenceGold [n=chris@70.232.50.35] has quit [Nick collision from services.] 19:28 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 19:41 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 19:42 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust684.midd.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 20:18 < krzee> !learn gentoo as http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 20:18 < vpnHelper> krzee: The operation succeeded. 20:18 < krzee> haha 20:20 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:47 -!- qkit [n=ykkiew@219.93.198.237] has joined ##openvpn 20:47 < qkit> morning all, guys wonder can i do a vpn server to vpn server tunneling? 20:47 < qkit> if it can be done where can i get more resource / information about it? 20:48 < kaynine> unofficial response: OpenVPN is peer; not client/server (except in TLS negotiation) 20:49 < kaynine> more information at openvpn.net :) 20:49 < krzee> ymm 20:49 < krzee> umm 20:49 < krzee> its client/server 20:49 < krzee> BUT 20:49 < krzee> with the same app 20:49 < krzee> just slight change in config 20:49 < krzee> qkit, what is your real goal? 20:51 < kaynine> krzee: you haven't been reading your man page :) 20:51 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 20:52 < qkit> my goal is that i want the branch office vpn server always tunneling to hq vpn server mean connectivity on both side, as i understand it only can be client and server right. 20:52 < krzee> kaynine, well then they chose very bad name for config options 20:52 < krzee> !sample 20:52 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:52 < krzee> client-config-dir /home/krzee/vpn/ccd 20:52 < krzee> server 10.8.1.0 255.255.255.0 20:53 < krzee> client 20:53 < krzee> dev tun 20:53 < kaynine> I did notice the confusion; and was glad to have it straightened out 20:53 < krzee> kaynine, however, there does exist the possibility of using static keys, in which case there are no client/server 20:53 < krzee> anyways 20:53 < kaynine> it turns out that 'client' and 'server' are just macros 20:54 < krzee> qkit, normal setup from what it sounds like 20:54 < kaynine> the manpage reads "Note that client or server designation only has meaning for the TLS subsystem. It has no bearing on OpenVPN's peer-to-peer, UDP-based communication model. 20:54 < kaynine> " 20:54 < krzee> server config listens, client config connects 20:54 < krzee> kaynine, any suggestions for calling it something other than client and server? 20:55 < kaynine> not yet, krzee; I'm brand new here 20:55 < krzee> cause listening peer and connecting peer just dont have the same ring 20:55 < krzee> hehe 20:55 < krzee> ahh, welcome =] 20:55 < krzee> and good job for reading the man, you may or may not be surprised how unread it is 20:55 < krzee> i havent read the whole thing in awhile 20:56 < krzee> (but then again my clients and servers are all working perfect) 20:56 < krzee> hehe 20:56 < kaynine> in spite of what the manpage says, in my first setup, there's one server and multiple clients. 20:56 < krzee> ya 20:56 < qkit> thanks karynine, reading on it now. 20:57 < krzee> qkit, from what you describe thats a very normal setup 20:57 < krzee> my sample configs should work 20:57 < kaynine> I found the HOWTO to be extremely good; and the manpage to have very valuable additional information 20:57 < krzee> if you want the lans behind the client/server to work you will need routes, and iroutes 20:57 < krzee> may even need to push routes 20:57 < krzee> kaynine, agreed 20:58 < krzee> !howto 20:58 < krzee> !man 20:58 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:58 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 20:58 < krzee> there has only been one thing i had to dig into source code for, but thats when i was doing something that it seems nobody else ever cared to document (or possibly even use) 20:59 < kaynine> It's the best HOWTO tutorial I have ever seen. I'm really impressed with that. Kudos to whoever. 20:59 < krzee> totally 20:59 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:00 < qkit> hmm, sorry to asking a noob question, i still in the progress to finishing the man and how to. hmm, if it set to client and server will it only the client can access the server but not the server access the client. mean one way connection? 21:01 < krzee> no 21:01 < krzee> they communicate both ways 21:01 < krzee> only real diff is who innitiates it 21:02 < krzee> and server issues clients VPN ips 21:03 < qkit> mean the connection are not permanent establish ,only when there have the traffic requested to have a vpn then the clients will initiate the vpn connection from the server which act as a client? 21:04 < kaynine> yeah; that's more 'server' than 'peer' isn't it? 21:04 < krzee> no they stay connected 21:04 < krzee> kaynine, imo, yes 21:04 < krzee> but i guess as far as internal code maybe not 21:04 < krzee> *shrug* 21:04 < krzee> whoever wrote the manpage knows more than me about openvpn 21:04 < krzee> hehe 21:05 < kaynine> qkit: only root/administrator can start/stop the vpn 21:06 < kaynine> a,/,|, 21:06 < krzee> connection stays regardless of traffic flowing over the connection 21:06 < krzee> and if you look at my samples 21:06 < krzee> !sample 21:06 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:06 < krzee> keepalive 10 120 21:06 < krzee> that allows it to see when tunnel is down and restart it 21:07 < krzee> persist-key 21:07 < krzee> persist-tun 21:07 < krzee> that allows it to keep the keyfiles and tunnel it was using even after it has dropped its root privs 21:07 < krzee> so it can reconnect still 21:08 -!- harpal [n=Harpal@121.246.75.165] has quit [Read error: 104 (Connection reset by peer)] 21:12 < ecrist> evening, folks. 21:13 < qkit> hmm, thanks krzee, well i think i better head for the man and how to, to learn more before i ask again ..thanks for the tips and info :P 21:13 * qkit reading..... 21:14 < krzee> np 21:14 < krzee> evening ecrist 21:14 < krzee> i added gentoo for you 21:15 < ecrist> :) 21:15 < krzee> its learn key as info 21:15 < krzee> as 21:15 < ecrist> ah, missing that key word. 21:15 < krzee> aye 21:38 -!- near [n=near@88-122-27-106.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-19-193.rev.libertysurf.net] has joined ##openvpn 21:44 -!- chesty [n=chesty@chesterton.id.au] has left ##openvpn [] 23:14 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 23:32 -!- desrt [n=desrt@ubuntu/member/desrt] has joined ##openvpn 23:33 < desrt> Thu Aug 14 00:29:25 2008 us=542519 VERIFY X509NAME ERROR: /CN=openvpn-copacetic.desrt.ca, must be openvpn-copacetic.desrt.ca 23:33 < desrt> doesn't that seem a little bit harsh? 23:33 * desrt would have assumed that the name given in tls-remote was the certificate common name 23:34 < desrt> (giving the full x509 name works... it just seems a little bit ridiculous) 23:35 < desrt> and considering the manpage actually says that giving the common name is supported, this seems like a bug 23:38 < desrt> am i missing something very obvious, or where should i file a bug? 23:58 -!- qkit [n=ykkiew@219.93.198.237] has left ##openvpn [] 23:59 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] --- Day changed Thu Aug 14 2008 00:03 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 00:20 -!- rmull is now known as rmull_ 00:25 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 00:48 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 00:50 -!- desrt [n=desrt@ubuntu/member/desrt] has left ##openvpn [] 01:01 -!- bandini [n=bandini@79.31.110.236] has quit [Remote closed the connection] 01:51 < kraut> moin 02:02 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:24 -!- mooseman447 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has joined ##openvpn 02:25 -!- mooseman089 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has joined ##openvpn 02:31 -!- mooseman447 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has quit [Read error: 60 (Operation timed out)] 02:33 -!- mooseman447 [n=mooseman@pool-70-20-169-3.phil.east.verizon.net] has joined ##openvpn 02:49 -!- mooseman089 [n=mooseman@24.229.203.41.res-cmts.sm.ptd.net] has quit [Read error: 110 (Connection timed out)] 03:03 -!- mooseman447 [n=mooseman@pool-70-20-169-3.phil.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 03:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:25 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 03:50 -!- bandini [n=bandini@host236-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 03:57 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 04:17 -!- bandini [n=bandini@host236-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 04:18 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 06:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 07:42 -!- SirFunk [n=jeffutte@206-159-155-246.netsync.net] has quit [Read error: 110 (Connection timed out)] 07:49 < ecrist> good morning, kids. 08:29 < ecrist> you guys suck 08:30 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 08:45 < onre> yeah, we do. 09:03 -!- djs [n=djs@unaffiliated/djs26] has quit [No route to host] 09:42 -!- ITguru [n=Mr@82.108.189.20] has joined ##openvpn 09:43 < ITguru> network manager and openvpn, and really doing my head in!! 09:45 < ecrist> ? 09:45 < ecrist> you may have to be a bit more specific. 09:45 < ecrist> :) 09:59 < ITguru> oh, sorry! 09:59 < ITguru> Basically, I've got a .p12 file to use to connect, which is fine from the command line 10:00 < ITguru> network manager on the other hand, doesn't really like p12 files, and i've had to split the files into a CA file, a CRT file, and a key file 10:00 < ITguru> after about three weeks, I realised that the CA file required, is the one from the openvpn server 10:01 < ITguru> I can't find the damn CA file on the server :( - all my other openvpn servers, I have the CA file already, and this one is a plugin for smoothwall, so the files are in diffrent locations 10:04 < krzee> then just rebuild your keys 10:04 < krzee> btw ive heard nothing but bad things about using network manager and openvpn together 10:15 < ITguru> krzee, same here - it does work, but they should implement p12 support 10:16 < ecrist> ITguru: if you look int he server config file, should give you the path to the ca file. 10:17 * ecrist finally figures out mediawiki templates. 10:18 < ITguru> ecrist, I think I found it, it's a PEM file 10:25 -!- snowboarder04 [n=un@serv.bemail.co.uk] has joined ##openvpn 10:27 < snowboarder04> I'm writing an article on openvpn, does anyone know roughly when the "OpenVPN Tool Box Value Add Package" (as seen in the Coming Soon box top-right of the openvpn website) is due to be launched and if this package will be charged / subscription based? 10:28 * ecrist doesn't know. 10:28 -!- rmull_ is now known as rmull 10:53 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:55 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 11:09 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 11:09 < ^scott^> yay vista! I've got OpenVPN-gui configured to run at startup, and I've selected the check box to run it as administrator, but windows blocks the program from starting up 11:09 < ^scott^> Has anyone seen this before? 11:10 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:10 < ecrist> Vista is the devil. 11:10 < ^scott^> and so many other negative words which can't be spoken of in front of little children. 11:10 < xattack> jajajaja 11:11 < ^scott^> nonetheless, it's a total pain to buy a computer running anything other than Vista now a days, so it's something I have no choice in supporting :-( 11:13 < ^scott^> Lemme try putting the checkbox on the openvpn executable instead, maybe Vista is not bright enough to watch forks() 11:14 < ecrist> ^scott^: for sure. you have to add an exception somewhere, don't know where, to allow it to run as an administrator. 11:14 < ^scott^> Ugh, no go. 11:15 < ^scott^> What's worse, is if you do add it to the openvpn-gui, Windows Defender catches this and disallows execution. 11:15 < ^scott^> If you look at the help file, it says that you should contact the vendor to see if there is a newer version 11:15 < ecrist> Windows Defender should be configurable to allow it, shouldn't it? 11:15 < ecrist> lol 11:15 < ^scott^> Of course, they don't say what magic back flip they expect the vendor to pull 11:17 < ^scott^> Yea, let's start down that pathway. I'd like to leave this feature on in general.In pricipal, it sounds great, but if only UAC could ask me once when I click that run as admin check box. Alas, it does not prompt me using UAC when I click that check box (logic in this one?) 11:18 < ^scott^> pffft 11:18 < ^scott^> Wikipedia states thusly: 11:19 < ^scott^> Windows Defender in Windows Vista automatically blocks all startup items that require administrator privileges to run (this is considered a bad behavior for a startup item). There is no known easy way to automatically unblock these items, the only suggestion given is to contact the software vendor for an updated version which is Windows Vista compatible (does not require administrator privileges to run). This automatic blocking is related to the UAC (User Acc 11:19 < ^scott^> functionality in Windows Vista, and requires the user to manually run each of these startup items each time they log in. 11:20 < ^scott^> Evidently OpenVPN-gui is supposed to be written such that I guess there's a service and a user-facing prog that doesn't require admin rights to interface with the service. 11:22 < ^scott^> Hmm . . . there is the openvpn service. If memory serves me right, there was a way to do this. 11:24 < ^scott^> Ah hah, I seek docs and I shall find. 11:27 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 11:33 -!- ITguru [n=Mr@82.108.189.20] has quit [Remote closed the connection] 11:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 11:50 < ^scott^> :-( Now I'm trying to figure out how to let a User start/stop services 11:51 < ecrist> ^scott^: would you do me a favor, and if you get it all figured out, document it for me? 11:51 < ecrist> I've got a wiki, https://www.secure-computing.net/wiki/index.php?OpenVPN 11:51 < vpnHelper> Title: Main Page - Secure Computing Wiki (at www.secure-computing.net) 11:52 < ecrist> create a page, let me know where it is. 11:52 < ecrist> help other users out. :) 11:52 < ^scott^> Sure, it's mostly going to be driven on http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html 11:52 < vpnHelper> Title: HowTo Run OpenVPN as a non-admin user in Windows (at openvpn.se) 11:53 < ^scott^> Directions are mostly helpful, the only thing I need now is vista-specific for letting a user interact with a service. I'm about to find that, I can feel it! 12:00 < ^scott^> I'm reaching the point where I'm considering giving up. The easy fix is to not start openvpn-gui at startup 12:00 < ^scott^> Leave the app with the magic checkbox to run as admin, and have the client run it interactively, so that the UAC prompt can occur. 12:07 < ^scott^> Yea, I hate to say it, letting the user start/stop the service isn't the best pathway to go down. The service really should start at system startup, but not connect VPN (unless configured to start at boot) until openvpn-gui starts talking to it, and then there ought to be a comm channel (mathias mentions a TCP socket in that doc page) that allows for the starting of the OpenVPN connection from anywhere. 12:07 < ^scott^> *le sigh* then anyone could connect to that TCP socket (albeit locally) to control that openvpn service, that's not ideal. 12:10 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 12:24 -!- Bushmills [n=Bushmill@verhau.de] has joined ##openvpn 12:24 < krzee> running vista is not ideal too :-p 12:25 < krzee> hehehe 12:27 < Bushmills> krzee: openvpn between the mobile phone client and server works now, i was here yesterday with the problem of err111, because server couldn't connect back to client. 12:28 < Bushmills> thanks for your help 12:42 < ^scott^> lol client just called. They said, in so many words " 12:42 < ^scott^> "vista wtfbbq, we didn't order no stinkin' vista!" 12:42 < ^scott^> Disaster averted! 12:56 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 13:28 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:36 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:57 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:01 -!- Axet [n=john@82.227.5.9] has joined ##openvpn 14:01 < Axet> hi all 14:03 < Axet> I've been playing around with openvpn's client-conf-dir for the first time and would like some help if possible. My openvpn server is running in a vserver, I've created the tun device for it but I don't understand how openvpn can cope with the multiple clients and how it is supposed to assign the tun devices to each client 14:04 < Axet> I'm interested in using the client-conf-dir to avoid opening a port per client (I use openvpn mainly for site to site vpns) 14:04 < ecrist> Axet: usually, ccd is for static IPs or custom authentication rules. 14:05 < Axet> ecrist: my idea is to use it to assign static ips for site to site vpns 14:06 < Axet> I've never used the pool option 14:06 < Axet> I've always used static ips 14:08 < ecrist> ok, so what's the problem, exactly? 14:09 < Axet> I think I'm getting mixed up because of how vserver handles devices, someone is explaining it to me on the official vserver chan 14:09 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:09 < Axet> thanks anyway :) 14:09 < ecrist> Axet: only one tun device gets created. 14:09 < ecrist> period. 14:10 < ecrist> with 2.0.x, anyways 14:14 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 14:14 -!- kala [i=kala@tux.linux.ee] has joined ##openvpn 14:21 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 14:28 -!- pumkinhed [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 14:54 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:22 -!- kala_ [i=kala@uba.linux.ee] has quit ["leaving"] 15:22 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:25 -!- am88b [i=siim@uba.linux.ee] has joined ##openvpn 15:26 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:27 -!- am88b [i=siim@uba.linux.ee] has left ##openvpn [] 15:30 -!- kala_ [i=kala@uba.linux.ee] has quit ["leaving"] 15:30 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:57 -!- mcp [n=hightowe@wolk-project.de] has joined ##openvpn 16:30 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 54 (Connection reset by peer)] 16:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:46 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 16:57 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:16 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 113 (No route to host)] 17:17 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:01 -!- Cyllene [i=DMFxUxOv@unaffiliated/cyllene] has joined ##openvpn 18:01 < Cyllene> krzee: Hey 18:01 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 18:04 < Cyllene> You here? 18:14 < ecrist> how goes, Cyllene 18:15 < Cyllene> I heard a rumor that EFnet's servers have been broken into 18:15 < Cyllene> I want to call bullshit. 18:17 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 18:45 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 19:09 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 19:17 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 19:27 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 19:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:55 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 19:56 < Optic> hey, what was that nat-traversal technique called? I'm looking for the article on it again 19:56 * Optic pokes rmull 19:58 < Optic> hole punching! i remembered :) 20:13 -!- Axet [n=john@82.227.5.9] has quit [] 20:31 -!- Cyllene [i=DMFxUxOv@unaffiliated/cyllene] has quit ["leaving"] 21:02 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 21:05 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 21:05 < Valect> ok i'm completely lost 21:05 < Valect> i have a subnet on 192.168.1.0/24, and openvpn is configured as such:server 192.168.10.0 255.255.255.0 21:05 < Valect> push "route 192.168.1.0" 21:06 < Valect> but i can't seem to reach the 192.168.1.0/24 subnet with clients 21:10 < SilenceGold> 192.168.1.0 is invalid gateway ip address 21:11 < SilenceGold> you give the clients the gateway ip that the openvpn is using unless you are using bridge .. 21:11 < Valect> so what should my config look like 21:11 < SilenceGold> hrm I said that wrong 21:11 < SilenceGold> Valect I don't know...I have no idea what you want to do. 21:11 < SilenceGold> I do not hold hands 21:11 < SilenceGold> there are plenty of documentations to get things working 21:12 < Valect> i want to be able to reach another subnet on the lan the openvpn server is on 21:12 < SilenceGold> if you are using the route engine of openvpn 21:12 < SilenceGold> openvpn will grab an ip address to use as the gateway ip address 21:12 < Valect> could the issue be that the client happens to be on a 192.168.1.0/24 subnet? 21:12 < SilenceGold> the client will need a route to the openvpn's server ip address... 21:12 < SilenceGold> then when the openvpn connection is, there will be a new route created that will redirect all traffic to go toward to the openvpn's created router ip address 21:13 < SilenceGold> *then when the openvpn connection is established, there 21:13 < Valect> i know, and my configuration isn't working, and i'm trying to figure out why 21:13 < SilenceGold> that's what "push route .." does 21:13 < SilenceGold> try reading some examples in some freely available documentations 21:14 < Valect> i've read every god damned page, 20 something odd configurations, and people telling me eactly what to do, and it still isn't working 21:14 < Valect> thanks for the philosophy 21:14 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has left ##openvpn [] 21:37 -!- near [n=near@88-122-19-193.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- near [n=near@83-155-185-247.rev.libertysurf.net] has joined ##openvpn 21:41 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has joined ##openvpn 21:41 < Valect> sorry 21:41 < Valect> anyway, the issue was what i thought 21:41 < Valect> same subnet = no good 21:42 -!- Valect [n=aaron@24-113-87-90.wavecable.com] has left ##openvpn [] 22:08 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 22:09 -!- djs26 is now known as djs 22:43 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] --- Day changed Fri Aug 15 2008 00:25 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 00:26 < mooseman447> hey does anybody know if there is a why to configure a server to run command whenever someone connects like send an email? 00:28 < krzee> --client-connect script ] 00:29 < krzee> or in config, client-connect script 00:29 < mooseman447> ok awesome 00:29 < mooseman447> pki is a pretty secure way of connecting right? 00:30 < krzee> lemme see your server config 00:30 < krzee> pastebin 00:30 < mooseman447> ok give me a sec 00:31 < mooseman447> http://pastebin.com/d4891a177 00:31 < mooseman447> i know running as a non-root user is a good security step but ill do that later 00:32 < krzee> why later? 00:32 < krzee> its just 2 entries on the config 00:32 < mooseman447> im lazy? 00:32 < krzee> !sample 00:32 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:32 < krzee> user vpn 00:32 < krzee> group vpn 00:32 < mooseman447> oh i thought i had to all this fancy stuff 00:32 < krzee> or nobody 00:32 < krzee> or whatever 00:32 < mooseman447> and it just works like that? 00:32 < krzee> only for windows 00:33 < krzee> err 00:33 < krzee> only for windowsit needs fancy stuff 00:33 < mooseman447> oh well my server is linux 00:33 < krzee> then its simple 00:33 < krzee> just choose a sandbox user/group that nothing else is using 00:33 < krzee> *done* 00:33 < mooseman447> good deal 00:33 < krzee> it drops its privs after 00:34 < krzee> persist-key 00:34 < krzee> persist-tun 00:34 < krzee> add those too 00:34 < krzee> !user 00:34 < vpnHelper> krzee: (user [] ) -- Returns the last time was seen and what was last seen saying. This looks up in the user seen database, which means that it could be any nick recognized as user that was seen. is only necessary if the message isn't sent in the channel itself. 00:34 < mooseman447> the other thing i need to fix is it doesnt start automatically yet but i think thats because i need to run bridge-start before openvpn 00:34 < krzee> !privledges 00:34 < vpnHelper> krzee: Error: "privledges" is not a valid command. 00:36 < mooseman447> so how is my config that i showed you? 00:36 < krzee> !learn privledges as just choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun 00:36 < vpnHelper> krzee: The operation succeeded. 00:36 < krzee> looks good 00:36 < krzee> you're using hmac verification 00:36 < krzee> tls auth 00:36 < krzee> as well as standard certs 00:37 < krzee> client uses ns-cert-type server 00:37 < krzee> ? 00:38 < mooseman447> yes 00:38 < krzee> ya you did it right 00:38 < krzee> only way it could be beefed up is keysizes 00:38 < krzee> but yours is good 00:39 -!- xybr2 [n=xybre@bb4win/users/fluffy] has joined ##openvpn 00:39 < mooseman447> ok so with a non-root user and email notifications it will be pretty safe 00:39 < krzee> as good as it gets 00:39 < krzee> =] 00:40 < mooseman447> any advice on making sure bridge-start runs before openvpn on boot? 00:40 < krzee> start it via a script which runs both 00:41 < krzee> either via the OS's method or turn off the OS's method and add a @reboot crontab entry 00:41 < xybr2> I have a linux server running openvpn server, and I can see my incoming connections, but it wont actually connect 00:41 < mooseman447> ok and also can i fit in my script to add iptable rules too? 00:41 < krzee> xybr2 00:41 < krzee> !logs 00:41 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:42 < xybr2> right. 00:42 < krzee> mooseman447, you can put anything in it you feel like =] 00:42 < mooseman447> yay! 00:48 < xybr2> http://pastebin.com/d1e3bac5a 00:51 < xybr2> I killed the openvpn process after that, btw 00:53 < krzee> different internal lans? 00:53 < krzee> err, ip blocks on the lans are different? 00:54 < xybr2> Client side has 168, and there really isnt a lan on the server side 00:54 < krzee> cool 00:54 < krzee> what kind of link are they on? 00:55 < krzee> decent? 00:56 < xybr2> Client has an 8meg line, server side is data center, I forget the pipe 00:56 < krzee> paste your configs 00:56 < krzee> pls 00:59 < xybr2> Server is the default config, onyl sifferences are cert/key names, no compression, and verbosity. 01:00 < xybr2> Same for client 01:00 < krzee> well if you dont care to have your configs checked ild say you should regenerate your keys 01:01 < krzee> seemed to help other people with the same error 01:01 < xybr2> I did vimdiff to compare 01:02 < krzee> server config drops privs? 01:02 < krzee> if so, does it have persist-key 01:02 < krzee> persist-tun 01:02 < krzee> is there a keep-alive 01:02 < krzee> s/-// 01:04 < xybr2> http://pastebin.com/d4edeb68a 01:05 < krzee> fun to read with all the comments 01:05 < krzee> heh 01:05 < xybr2> Yeah 01:05 < xybr2> Default config >.< 01:17 < krzee> http://pastebin.com/m5393d486 01:19 < krzee> ya looks like you should regen certs 01:19 < krzee> you followed the howto while making them? 01:19 < krzee> !howto 01:19 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:50 < xybr2> Yeah I followed the howto 01:50 < xybr2> Maybe I did somethign wrong :/ 01:54 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 01:57 < krzee> it never fully connects and works right? 02:02 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:06 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["moose is tired..."] 02:16 < xybr2> kraut, right 02:38 -!- kala_ [i=kala@uba.linux.ee] has quit ["leaving"] 02:41 -!- kala [i=kala@tux.linux.ee] has quit ["leaving"] 02:41 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 02:47 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 02:47 -!- kala_ [i=kala@uba.linux.ee] has quit [Client Quit] 02:48 -!- Axet [n=john@glou.nurvnet.org] has joined ##openvpn 02:48 < Axet> hi all 02:49 < Axet> quick question... does openvpn 2.0.9 support RFC3021 style addressing ? 02:56 -!- OpenTokix [i=peter@0x2a.se] has joined ##openvpn 02:56 < OpenTokix> morning, Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9): 1 Time(s) <-- what does that mean? The VPN is working, but the error seems.... not optimal =) 02:58 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 03:03 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 03:16 < kraut> moin 03:26 -!- Axet [n=john@glou.nurvnet.org] has quit [Read error: 113 (No route to host)] 03:30 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 03:46 -!- DGnome [i=mindre@mupp.fi] has joined ##openvpn 03:50 < DGnome> Hi! my routed roadwarrior setup works so far as that the client connects and can ping the vpn-server tun0 inet addr. But when I add 'push "route xxx.x...." for access to our internal network, no traffic goes through the tunnel. Any ideas? 03:56 < hawk> DGnome: You may want to examine the logs and the resulting local routing table 04:00 < DGnome> hawk: everything seems allrigt :/ 04:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 04:45 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 04:46 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 04:49 -!- Bushmills [n=Bushmill@verhau.de] has left ##openvpn ["Leaving."] 04:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:05 -!- Axet [n=john@glou.nurvnet.org] has joined ##openvpn 06:05 < Axet> hi all 06:20 -!- manueld [n=manueld@unaffiliated/manueld] has joined ##openvpn 06:42 -!- Axet [n=john@glou.nurvnet.org] has quit [Read error: 104 (Connection reset by peer)] 06:42 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:05 -!- pornizzle [i=pornizzl@195.226.105.137] has joined ##openvpn 07:05 < pornizzle> hello, i have aproblem 07:06 < pornizzle> i always become this error 07:06 < pornizzle> Fri Aug 15 13:48:50 2008 us=204368 There is a problem in your selection of 07:06 < pornizzle> --ifconfig endpoints [local=10.0.8.7, remote=10.0.8.8]. 07:06 < pornizzle> The local and remote VPN end points must exist within the same 07:06 < pornizzle> 255.255.255.252 subnet. 07:06 < pornizzle> This is a limitation of --dev tun when used with the TAP-WIN32 driver. 07:06 < pornizzle> Try 'openvpn --show-valid-sub nets' option for more info. 07:06 < pornizzle> Fri Aug 15 13:48:50 2008 us=204749 Exiting 07:06 < pornizzle> Press any key to continue... 07:06 < manueld> pornizzle: are you german? 07:06 < pornizzle> yeah 07:06 < manueld> man siehts ^^ 07:07 < pornizzle> wieso ? :x 07:07 < manueld> become ist falsch 07:07 < manueld> become heisst werden 07:07 < manueld> get heisst bekommen ;) 07:07 < pornizzle> jaja stimmt 07:07 < pornizzle> sorry 07:07 < pornizzle> :D 07:07 < pornizzle> bin gerade mega angepisst 07:07 < pornizzle> vor 20 min lief das vpn noch 07:07 < pornizzle> und nun nimmer 07:07 < pornizzle> kannst mir dabei helfen ? 07:08 < manueld> naja, spontan w"urd ich ja mal sagen, dass das subnet falsch zugewiesen wird 07:08 < manueld> so stehts ja auch in der fehlermeldung 07:08 < manueld> hab den fehler selber aber noch nicht gehabt 07:08 < pornizzle> liegt das dann am server 07:08 < manueld> eigentlich ja 07:08 < pornizzle> bringt es dir was wenn du meine conf siehst ? 07:08 < manueld> der client bekommt die ip ja "uber dhcp vom server, oder? 07:08 < pornizzle> sollte 07:08 < pornizzle> aber ich will auch static machen 07:08 < manueld> ja, paste mal deine conf 07:09 < manueld> dann musst halt die richtige subnetmask eintragen, wenn du static machst 07:09 < pornizzle> float 07:09 < pornizzle> port 1194 07:09 < pornizzle> dev tun 07:09 < pornizzle> dev-node ovpn 07:09 < pornizzle> proto tcp-client 07:09 < pornizzle> remote xxxxxx 1194 07:09 < pornizzle> ;ifconfig 192.168.2.3 192.168.2.1 # Tun0 ip-address 07:09 < pornizzle> ;route 192.168.5.0 255.255.255.0 # Route for corporate network 07:09 < pornizzle> ping 10 07:09 < manueld> NNNEEEIIIIIIIN 07:09 < pornizzle> persist-tun 07:09 < manueld> stop 07:09 < pornizzle> persist-key 07:09 < pornizzle> tls-client 07:09 < pornizzle> ca ca.crt 07:09 < pornizzle> cert client1.crt 07:09 < pornizzle> key client1.key 07:09 < pornizzle> ns-cert-type server 07:09 < manueld> http://pastebin.com 07:09 < pornizzle> #comp-lzo ? to enable LZO remove the # 07:09 < pornizzle> pull 07:09 < manueld> nicht direkt hier rein 07:09 < pornizzle> verb 4 07:09 < pornizzle> ?! 07:09 < manueld> hier: http://pastebin.com 07:10 < manueld> und dann den link hier reinschreiben 07:10 < pornizzle> http://pastebin.com/m7035ac31 07:10 < manueld> schon besser 07:10 < pornizzle> sorry =( 07:10 < kaynine> -->>> /topic <<<-- 07:10 < manueld> wart mal kurz, ich connect mal schnell zu meinem server und schau meine noch an 07:11 < pornizzle> ahhh das war die falsche 07:11 < pornizzle> mom 07:11 < pornizzle> http://pastebin.com/m6eda45a6 07:12 < pornizzle> das mit static 07:15 < pornizzle> hmm 07:15 < manueld> im moment weiss ich da auch nicht weiter 07:15 < pornizzle> weil auf der firewall hab ich 07:15 < pornizzle> address pool 07:15 < pornizzle> 10.0.8.0/24 07:15 < pornizzle> entspricht ja 255.255.255.0 07:17 < pornizzle> manueld wenn ich das ifconfig etc. raus amche und dhcp aktiviere müsste es doch laufen oder ? 07:17 < manueld> eigentlich ja 07:17 < pornizzle> also die conf schaut doch gut aus 07:17 < manueld> jo, auf den ersten blick schon 07:17 < pornizzle> und ich war ehute schon via vpn connected 07:17 < manueld> hab da jetzt nix gravierendes gefunden 07:17 < pornizzle> und nun gehts nimmer 07:17 < pornizzle> ich verstehs net 07:18 < pornizzle> porkys gesetzt 07:18 < pornizzle> - t 07:19 < pornizzle> boah ich raste glei aus 07:21 < pornizzle> gibts doch net 07:21 < pornizzle> ich gib doch nirgens subnet an 07:33 -!- pornizzle [i=pornizzl@195.226.105.137] has quit [Client Quit] 07:42 < ecrist> wtf was that? 07:42 < rmull> ze germans! 08:05 < Optic> moooooo 08:31 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 08:31 < plaerzen> harro 08:33 < rmull> harro plaerzen 08:34 < plaerzen> been a little while 08:34 < rmull> Yes indeed. 08:34 < plaerzen> I was hanging out in security and postfix for a bit there. 08:34 < rmull> I took a hiatus as well 08:35 < rmull> Taishi's stopped showing up a while ago 08:35 < plaerzen> Ah, too bad. He was good entertainment 08:35 < rmull> He was. 08:35 < Optic> moo 08:35 < rmull> :o 08:35 < ecrist> ==> 08:36 < plaerzen> my office is so freaking cold all day. It's like we have two settings for air conditioning: off and nuclear 08:36 < ecrist> plaerzen: my office is the same way. 08:36 < Optic> i'd rather have cold than hot 08:37 < plaerzen> Yeah, me too. At least I can put a hoodie on. 08:37 < Optic> unfortunately we have these... women... in our office 08:37 < ecrist> I think it's stupid to have to bring a hoodie to work when it's 93 outside, though. 08:37 < ecrist> :\ 08:37 < plaerzen> ecrist: Totally agree. 08:37 < Optic> who need the temperature to be kept at above about 35C, or they "get cold" 08:37 < Optic> hehe 08:38 < plaerzen> 35C, wtf. that's insane 08:38 < cpm> yeah, we have a number of areas in the building, where the thermostat for the ac zone, is not actually inside the ac zone it controls. 08:38 < plaerzen> I would get heat stroke at 35C. 08:38 < Optic> well, i might be exadurating 08:38 < Optic> a bit 08:38 < plaerzen> ah, I see. 08:38 < rmull> They turn the AC off in our building over the weekend 08:38 * plaerzen brb bio. 08:39 < rmull> And our servers overheat because there's no easy way to drain the condensation collector on our server room AC unit. 08:39 < rmull> Fail 08:39 < ecrist> our office is layed out as individual offices around the outside of the building, and cubes in the middle. There are two thermostats. one in the center of the cube area, and one in *one* of the offices that controls air to ALL offices. 08:39 < ecrist> my office *cold* 08:39 < Optic> rmull: you need a condensation pump that drains it over the boss's desk :) 08:39 < ecrist> the thermostat is on a wall, in direct sunlight. 08:40 < rmull> Optic: It's not the boss' fault - it's the building owners. 08:40 < rmull> It's us and a bunch of other small businesses in here 08:40 < Optic> just dump it into a wall somewhere then :) 08:40 < Optic> hehe 08:40 < rmull> The building owners charge $35 an hour to keep the AC on over the weekend, lol 08:40 < Optic> drill hole in drywall, insert hose, forget :) 08:40 < rmull> lol Optic 08:41 < rmull> not-so-drywall 08:43 < plaerzen> lol 08:43 < rmull> Is there a decent way to use an openvpn routed tunnel (as opposed to bridged) vpn and still let clients use windows netbios names? 08:44 < plaerzen> I like your bofh-esque attitude Optic. 08:44 -!- Haris1 [n=Haris@unaffiliated/haris] has joined ##openvpn 08:44 < Haris1> Hello people 08:44 < plaerzen> harro 08:44 < rmull> helo 08:44 < Haris1> Does openvpn support connecting to multiple vpn destinations at the same time? 08:44 < ecrist> rull, yes 08:45 < rmull> Haris1: Yes, one for each client instance I'd imagine 08:45 < rmull> ecrist: Do I have to be running a WINS server? 08:45 < Haris1> rmull: I don't understand the part after yes, 08:45 < ecrist> iirc, you can build a VPN "routed" with a subnet equal to your LAN 08:46 < rmull> Haris1: You'd run one client for every vpn link you want to have. 08:46 < rmull> ecrist: But NetBIOS is broadcast and should not cross a routed tunnel 08:46 < rmull> Right? 08:46 < Haris1> rmull: curious, why? but its great. Would that cause any problems with routing? 08:46 < rmull> Haris1: Routing would be a problem if any of the subnets overlap 08:46 < ecrist> rmull, just a sec. 08:47 < rmull> ecrist: fosho 08:47 < plaerzen> I love how routing is about 95% of all problems in here. 08:47 < Haris1> rmull: Great, that means, it'll work 08:47 < Haris1> thanks guys 08:47 -!- Haris1 [n=Haris@unaffiliated/haris] has left ##openvpn ["Time to jet!"] 08:47 < rmull> plaerzen: Lol, yeah - I tend to have trouble with it myself 08:47 * plaerzen does too. 08:48 < rmull> Like - what if a road warrior connects from a subnet that is the same as mine, server side? 08:48 < plaerzen> editing configs, creating keys, etc is the easy part. I'm still trying to wrap my head around routing, OSI technicalities and all that stuff. 08:49 < rmull> I can't seem to figure a way to guarantee that clients coming from diverse networks will not overlap my network that they need to be routed into. 08:50 < plaerzen> I wonder if there's any way to script their route table. 08:50 < rmull> I think you can execute scripts on link-up and link-down 08:51 < plaerzen> But 08:51 * plaerzen ponders. 08:51 < plaerzen> is there even any way around client and server working on same physical local subnet ? 08:52 < rmull> I don't think you can do that, right? 08:52 < plaerzen> I don't think so either. 08:52 < rmull> Starting ovpn would fail 08:52 < plaerzen> although I'm no expert. 08:52 < rmull> likewise 08:55 < ecrist> sorry, rmull, was on the phone actually *working* 08:55 < ecrist> sheesh, having to work at work. what's the world coming to. 08:56 < ecrist> rmull, I think you can hack the subnets such that you can trick the openvpn clients into being on the same subnet as your lan, it would be a nasty hack, though. 08:56 < ecrist> I think that's what a PDC/WINS server would be best suited for. 08:56 < ecrist> if I were setting it up myself, I'd build a bridged VPN, or better yet, get rid of the windows boxes. 08:58 < rmull> The latter would be nice 08:58 < rmull> I suppose I'll just go bridged and send the mess of broadcasts out over the vpn 08:59 * rmull does not like windows 08:59 < Optic> windows is pooptastic 08:59 < rmull> My favorite part is that the boss is running windows dhcp and dns services 08:59 < ecrist> rmull: we had a similar issue here, we just made the decision to drop support for windows file sharing and require users to use sftp/scp now. 09:00 < ecrist> we never did a ton of windows stuff, though. 09:00 < rmull> And they do this thing where if a client fetches a dhcp lease, it'll automatically add the hostname of that machine to the dns 09:00 < rmull> So we have a ton of leftover laptop hostnames that resolve to random IPs that are handed out to new laptops with different hostnames 09:00 < rmull> I can't even log into my university's machine from this network because it uses strict reverse-lookup checking, which fails 09:00 < rmull> Lol at us. 09:01 < rmull> We were a 100% windows shop until they hired me. 09:01 < plaerzen> have you guys heard of ikat ? 09:01 < rmull> neg 09:02 < rmull> http://en.wikipedia.org/wiki/Ikat ? 09:02 < vpnHelper> Title: Ikat - Wikipedia, the free encyclopedia (at en.wikipedia.org) 09:02 < plaerzen> interactive kiosk attack tool. for public internet kiosks. 09:02 < rmull> Oh 09:02 < rmull> Lol 09:02 * ecrist thought apple was making german felines. 09:02 < Optic> OS 10.6: Drunk Cougar 09:02 < plaerzen> yo go to the webpage while logged into one and it basically downloads some javascript / actionscript / whatever and lets you break the kiosk security software. 09:05 < rmull> http://ikat.ha.cked.net/ 09:05 < vpnHelper> Title: iKAT - Interactive Kiosk Attack Tool (at ikat.ha.cked.net) 09:05 < rmull> Link for convenience. 09:05 < Optic> i like the photo 09:05 < plaerzen> also, they have a nice ass-banner on their webpage 09:06 < ecrist> now I've got to clean my desk, thanks. 09:06 < ecrist> :) 09:06 < plaerzen> :P 09:06 * rmull will visit during non-business hours 09:07 < ecrist> rmull: not that bad, it SFW. 09:07 < ecrist> sorta 09:07 < plaerzen> meh, it's not that bad 09:07 < rmull> Lol 09:07 < rmull> Maybe after this meeting then. 09:07 < Optic> pretty cool hacks actually 09:08 < Optic> i've done some kiosk stuff, this page would have been handy 09:08 < plaerzen> Optic: nod. I listen to an it security podcast and the author was interviewed just now. 09:10 * Optic bookmarks to delicious 09:12 < rmull> plaerzen: Which podcast? 09:16 < plaerzen> rmull risky business 09:16 < plaerzen> http://itradio.com.au/security/ 09:16 < vpnHelper> Title: Risky Business (at itradio.com.au) 09:16 < plaerzen> I'm not australian, but it's still a good podcast. 09:19 * Optic listens to ratatat 09:24 -!- manueld [n=manueld@unaffiliated/manueld] has quit ["Nettalk6 - www.ntalk.de"] 09:28 < plaerzen> what kind of music do you guys listen to when you're "in the zone" 09:28 < plaerzen> ? 09:28 < ecrist> barry white. 09:29 < ecrist> oh, not that zone, orgy 09:29 < ecrist> seriously, Orgy's dreaming in digital is pretty tight. 09:29 < plaerzen> ja? 09:30 < ecrist> at least, back in the day, when I was much younger, and, um, testing other folks' security vulnerabilities for them. 09:30 < plaerzen> I like how you phrased that. 09:30 < plaerzen> Not so much these days ? 09:30 < ecrist> not so much of that these days. 09:31 < ecrist> I do some side work in LE, so it wouldn't be very conducive to my job there... 09:34 < ecrist> 09:35 < ecrist> that, and I don't have time for it anymore. 09:36 < ecrist> there's never enought time in the day. :( 09:41 < ecrist> any of you guys have an OpenVPN gui you recommend for linux? 09:43 < plaerzen> LE ? 09:44 < ecrist> law enforcement 09:45 < ecrist> just on the weekends, though. 09:45 < plaerzen> side work in law enforcement... I like that concept. I do some side work in law deforcement. 09:45 < ecrist> lol 09:45 < ecrist> I just work parks and waterways for a local county. 09:45 < plaerzen> Ah, I see. 09:46 < ecrist> when some kid gets lost and the news says '350 volunteers searched for...', I'm usually one of those volunteers. 09:47 < ecrist> gets me off my ass, out doing something. 09:47 < ecrist> :) 09:48 < plaerzen> I do things like rock climbing, camping, hiking, etc. on weekends 09:48 < plaerzen> this past weekend I camped out in B.C. near a town called Nelson for 5 days - for a music festival. T'was amazing. 09:52 < ecrist> that sounds like fun 09:55 < plaerzen> it was :) and tonight I'm driving up to the foothills to visit my parents for 4 days. Man, payed vacation is rough. 09:55 < ecrist> sounds like it. 09:55 * plaerzen stretches out luxuriously. 09:56 < ecrist> come write my perl jabber bot for me. 09:56 < plaerzen> what are you making a jabber bot for ? 09:56 < ecrist> work 09:57 < ecrist> we've been using IRC for some years, I'm migrating us to jabber now 09:57 < ecrist> I wrote a bot in perl for IRC to essentially read RSS feeds from our svn server, wiki, and nagios. 09:57 < ecrist> I've gotta re-write him for jabber. 09:58 -!- pornizzle [i=pornizzl@195.226.105.137] has joined ##openvpn 09:58 < ecrist> working on re-parsing the incoming text now, got it connecting, authenticating, etc. 09:58 < ecrist> hi proni 09:58 < ecrist> erm, pornizzle 09:58 < pornizzle> ? 09:58 < ecrist> hi 09:58 < pornizzle> hi 09:58 < pornizzle> whats up 09:58 < pornizzle> :D 09:58 < plaerzen> we're using google apps. Google talk, e-mail, sites, etc. 09:59 < plaerzen> it's not bad, and fully hosted and managed. 09:59 < pornizzle> my linux client can't open DEV TUN ) error=2) 09:59 < plaerzen> A bit insecure though 09:59 < ecrist> I've got a side business I use google's stuff for, don't like it, tbh. 09:59 < ecrist> I work for a medical claims clearing house - we *can't* use something like google. 09:59 * plaerzen coughs. 10:00 < ecrist> pornizzle: can you pastebin your logs? 10:00 < plaerzen> I work for a dental practice management software company. 10:00 < pornizzle> mom 10:00 < pornizzle> http://pastebin.com/d2231f809 10:01 < pornizzle> i tryed it with tun, tun0 10:01 < pornizzle> didn't work 10:01 < ecrist> ok, can you pastebin your server config file, and youre client config file? 10:01 < pornizzle> ähhm server file i can't but client sure 10:02 < rob0> porn, either "modprobe -v tun" or you've got a permission problem on /dev/net/tun . 10:02 < plaerzen> ifup tun0 10:02 < pornizzle> i havn't modprobe :) 10:02 < ecrist> pornizzle: are you running the client as root? 10:02 < pornizzle> sure 10:02 < pornizzle> http://pastebin.com/d210f4bd6 10:02 < rob0> no modprobe? What OS? 10:03 < pornizzle> don't knew exactly but its linux 10:03 < pornizzle> its on a very very very smale machine 10:03 < rob0> Well you don't have tun support. You're out of luck. 10:03 < pornizzle> it worked yesterday 10:03 < pornizzle> but today doesn't 10:04 < pornizzle> didn't changed anything 10:04 < rob0> Learn how to use your OS. You don't have the tun driver loaded. 10:04 < plaerzen> ifconfig tun0 up 10:04 < pornizzle> i knew where the driver is 10:04 < pornizzle> its tun.ko 10:04 < pornizzle> or ? 10:05 < pornizzle> No such device 10:05 < pornizzle> ... 10:05 < rob0> On any normal Linux "modprobe tun" does it. If you're not using a normal Linux, talk to your distributor about that. 10:05 < pornizzle> what is normal ? :P 10:05 < pornizzle> ;) 10:05 < pornizzle> but i knew what u mean 10:06 < pornizzle> don't knew how to handle this tun.ko file 10:07 < pornizzle> hmmpf 10:07 < plaerzen> pornizzle: normal is a word. the definition of normal (correct me if I'm wrong) is: "Most widely accepted standard" 10:07 < rob0> 15:05 < pornizzle> but i knew what u mean 10:08 < pornizzle> fact is i haven't modprobe 10:08 < pornizzle> of course u are right plaerzen 10:08 < pornizzle> this is a reciever 10:08 < pornizzle> satelit 10:09 < pornizzle> and i put linux on 10:10 < pornizzle> all works fine, but openvpn does't 10:12 < pornizzle> ok guys 10:12 < pornizzle> thanks for help 10:12 < pornizzle> bb 10:15 -!- pornizzle [i=pornizzl@195.226.105.137] has quit [] 10:24 -!- rob0 [n=rob0@tuxaloosa.org] has quit [Read error: 113 (No route to host)] 10:49 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:52 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 113 (No route to host)] 11:09 < plaerzen> thank god it's friday. I'm a zombie right now. 11:14 < cpm> there are a lot of zombies around. That kinda friday I think 11:17 < plaerzen> I even had an extra long weekend last weekend and has monday off. Probably why I'm a zombie. Not used to working 11:18 < ecrist> I'm having fun. 11:18 < ecrist> my jabber bot is going to rule the work. 11:18 < ecrist> world. 11:18 < ecrist> apparently, my fingers have taken today off. 11:24 < rmull> BRAAAIIIINNNNSSSS 11:24 < ecrist> I know! 11:25 * ecrist sets mode ##openvpn +b zombie!death@*.* 11:25 < rmull> rofl 11:27 < cpm> danged zombies 11:28 -!- Alocado [n=matthias@dslb-088-068-049-222.pools.arcor-ip.net] has joined ##openvpn 11:28 < Alocado> hello 11:28 < Alocado> how can i define a banner text which my users see on connect? 11:32 < hawk> Can you? 11:40 < Alocado> no idea 11:41 < kala> connect to what? 11:45 < cpm> umm, unless your users are using the command line to drive their connections, they ain't gonna see much of a banner. 11:51 < pumkinhed_> lol, the beauty of openvpn is that it doesnt bother the user 11:53 * plaerzen forgets how to change which channel to talk to in irc. 11:53 < ecrist> Alocado: what protocol are they using to connect? 11:54 < Alocado> tcp? 11:55 < ecrist> have you read the howto? 11:55 < Alocado> yes 11:56 < Alocado> but i found no possibility for such messages 11:58 < kala> Alocado: which component should display the message? The OpenVPN GUI? Windows OS? Linux OS? TAP network driver? 11:58 < kala> browser? 12:00 < kala> you can perhaps redirect user browsers to a "message of the day" website, but other than that ... the functionality isn't really ment to be there. 12:04 < kala> oh. in case of Windows users, you can perhaps use the Windows builtin "net send" command to send a message to their desktop and in case of Linux users, you could perhaps use the "wall" or "talk" command. But these days everybody disables them, so I doub't they will work. 12:04 < plaerzen> net send comes disabled by default in windows I think 12:06 < kala> right 12:21 -!- pumkinhed_ [n=pumkinhe@mail.guardianchem.ca] has quit [Read error: 110 (Connection timed out)] 12:21 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:26 < ecrist> or, custom roll a vpn gui for you that requests a motd file from the vpn server... 12:28 -!- pUmkInhEd [n=pumkinhe@mail.guardianchem.ca] has joined ##openvpn 12:36 < cpm> Alocado, describe how you imagine this magic would appear to your user? 12:37 * cpm wonders why the question mark. 12:37 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 12:44 -!- kaushal [n=kaushal@59.184.3.130] has joined ##openvpn 12:44 < kaushal> hi 12:45 < kaushal> I have configured openvpn client using Network Manager on Ubuntu 8.04 Linux Desktop, The issue is that I need to add sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 every time whenever i need to connect to openvpn server 12:46 < kaushal> For windows user, they dont have any issue 12:46 < kaushal> any clue 12:47 < kaushal> is there a way to push it on the client side 12:51 < kaushal> anybody awake here 12:53 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 12:53 -!- Alocado [n=matthias@dslb-088-068-049-222.pools.arcor-ip.net] has left ##openvpn ["Ex-Chat"] 12:58 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Remote closed the connection] 12:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:00 < ecrist> kaushal: yes 13:01 < kaushal> ecrist, I have spoken to the Server Admin 13:01 < kaushal> regarding this issue 13:01 < kaushal> Windows users have no issues 13:01 < ecrist> ok 13:01 < ecrist> I don't remember your issue, sorry 13:01 < kaushal> Linux users have this issue 13:02 < kaushal> I have configured openvpn client using Network Manager on Ubuntu 8.04 Linux Desktop, The issue is that I need to add sudo ip route add 10.0.0.0/8 via 10.10.50.12 dev tap0 every time whenever i need to connect to openvpn server 13:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:06 < kaushal> krzee, hi 13:07 < krzee> hey 13:08 < kaushal> krzee, how are you doing today 13:09 < krzee> good, just woke up 13:09 < krzee> gunna shower and go visit a girl 13:09 < krzee> just waiting for the water to heat up 13:10 < ecrist> krzee: I've already seen her this morning. 13:10 < ecrist> sorry man. 13:10 < ecrist> ;) 13:10 < krzee> haha 13:10 < krzee> riiight 13:10 < krzee> your spanish must be good :-p 13:10 < ecrist> there wasn't a lot of talking - a little moaning, but that's universal. 13:10 < kaushal> krzee, any clue 13:10 < krzee> hehe 13:11 < krzee> kaushal, 13:11 < krzee> [13:56] kaushal, the problem is none of us use network manager 13:11 < krzee> [13:56] oh wait, thats on client 13:11 < krzee> [13:56] just push it to the client from the server 13:12 < kaushal> krzee, I have issue only with the Linux Desktop 13:12 < kaushal> Windows users work fine 13:12 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 13:12 < ecrist> kaushal: don't use network manager, user cli 13:12 < krzee> aye 13:13 < krzee> the mail list is full of examples of network manager being the reason stuff dont work 13:13 < cpm> indeed 13:13 < kaushal> ecrist, ok 13:14 < kaushal> so can i be connected when my system boots up using cli 13:14 < krzee> !learn ubuntu as dont use network manager! 13:14 < vpnHelper> krzee: The operation succeeded. 13:14 < krzee> haha 13:15 < ecrist> kaushal: you can still boot in gui 13:15 < ecrist> just open a terminal and run openvpn from there. 13:15 < krzee> or 13:15 < krzee> just toss it in crontab with @reboot 13:15 < krzee> or use your OS's real method of starting scripts 13:15 < ecrist> or, press Ctl-Alt-F2, login, run openvpn, press Ctl-F8, and enjoy. 13:15 < krzee> in freebsd i know of 3 ways to start anything on boot... 13:16 < krzee> (i dont use ubuntu but i garuntee its not hard) 13:17 < ecrist> I'm using Kubuntu now, for my work desktop, with my MacBook Pro sitting next to that. 13:17 < ecrist> I have ~37 FreeBSD servers sitting in a datacenter 10 miles esat. 13:17 < ecrist> east* 13:17 < ecrist> damn my fingers 13:18 -!- mooseman557 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 13:20 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 13:21 < cpm> http://www.inquisitr.com/2357/has-bigfoot-been-found/ 13:21 < vpnHelper> Title: Has Bigfoot Been Found? (at www.inquisitr.com) 13:31 -!- kaushal [n=kaushal@59.184.3.130] has quit ["Leaving"] 13:43 < rmull> Any of the regulars want a free month of netflix? 13:45 < plaerzen> ohh 13:45 < plaerzen> do I count as a regular? :D 13:45 < krzee> i dont think i even CAN get netflix 13:45 < krzee> haha 13:46 < krzee> the mail system out here barely even works 13:46 < plaerzen> out where ? 13:46 < krzee> my bills are hand delivered to my house without envelope 13:46 < krzee> lol 13:46 < krzee> caribbean 13:46 < plaerzen> I have no sympathy. 13:46 < krzee> lol 13:46 < krzee> tru 13:47 < plaerzen> "Woe is me. I live in a tropical paradise" 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:47 < plaerzen> :P 13:47 < rmull> plaerzen: You want it? 13:47 < plaerzen> rmull: for sure :) 13:48 < rmull> Okay, I don't have the code on my now, but I'll /msg it to you tonight. 13:48 < rmull> Don't let me forget. 13:48 * plaerzen nods. 13:48 < plaerzen> I might not be around later. I'm heading out in about 3 hours. 13:48 < rmull> No rush 14:07 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 14:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 14:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:24 * ecrist cheers 14:24 < ecrist> my bot is working. 14:54 < rmull> Hmm, anybody ever seen this in their openvpn logs? http://pastebin.ca/raw/1173340 14:54 < rmull> When I try to connect I just keep getting I/O WAIT every 1 second with all that other noise 14:58 < rmull> Using bridging over udp 14:58 < rmull> Full logs and confs on request 15:03 < rmull> Same behavior for tun and tap. Hm! 15:05 < rmull> Actually ,one sec 15:06 < plaerzen> clients in the office =/ 15:06 < plaerzen> although 90% of the people in this industry are women. So it evens out. 15:10 < snowboarder04> i asked this yesterday but no-one was around who knew... thought I might as well ask it again... 15:10 < snowboarder04> I'm writing an article on openvpn, does anyone know roughly when the "Ope 15:10 < snowboarder04> be launched and if this package will be charged / subscription based? 15:10 < snowboarder04> nVPN Tool Box Value Add Package" (as seen in the Coming Soon box top-right of the openvpn website) is due to 15:22 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:27 < rmull> snowboarder04: We're around, but I think none of us know. 15:35 < plaerzen> snowboarder04: that was one dyslexic paste. 15:36 < plaerzen> an rmull is right in that none of us know. At least I don't anyway. 15:36 < plaerzen> But I don't know much. 15:41 < snowboarder04> dyslexic how? 15:45 < snowboarder04> cheers anyway guys :) 15:49 < rmull> Good luck, we're probably interested in reading the article when you're done with it 15:50 < plaerzen> we are 15:50 < snowboarder04> I'll try to drop by with a link when the editor's finished with it 16:53 -!- OpenTokix [i=peter@0x2a.se] has quit [Read error: 104 (Connection reset by peer)] 17:03 < ecrist> *yawn* 17:05 < ecrist> it was very backwards. 18:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:58 -!- m0b [i=elusive@neighborhood.dopeslinger.com] has quit ["changing servers"] 19:18 < rmull> plaerzen: Ping 19:23 -!- djs [n=djs@unaffiliated/djs26] has quit ["Lost terminal"] 19:23 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 20:39 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 21:05 -!- dgilmore [n=dgilmore@fedora/dgilmore] has joined ##openvpn 21:06 < dgilmore> hey all i have a quick question 21:06 < dgilmore> i have a CA that serves many pourposes 21:07 < dgilmore> id like to configure openvpn so it will only accept certs if its in the organisational Unit is OpenVPN ? 21:07 < dgilmore> is that possible 21:10 < rmull> Can't you just distribute the correct ca.crt and use the correct ca.key for your vpn and that's that? 21:10 < rmull> The org-unit doesn't matter if the crt and key must match up anyway 21:11 < dgilmore> rmull: they will have that 21:12 < dgilmore> rmull: but most of the certs signed by the ca will not be for vpn but for other purposes 21:12 < rmull> As long as the certs are signed by the ca.key that you're using for your vpn server, no other ca's certs will be allowed. 21:12 < dgilmore> rmull: i want a way to say this cert is good for vpn. but this other one is not 21:13 < dgilmore> rmull: all will be signed by the same ca 21:13 < dgilmore> some are for vpn others are not 21:13 < rmull> Oh, I see what you're saying now, sorry 21:13 < dgilmore> i dont want to run multiple CA's 21:13 < dgilmore> google is not being kind to me 21:13 < rmull> The path to the cert is specified explicitly in the conf - is that not good enough? 21:14 < dgilmore> or maybe its not possible 21:14 < rmull> You don't want people swapping certs in? 21:14 < dgilmore> most of the certs are for authentication on other apps. they dont have vpn access 21:15 < dgilmore> we dont want them to use the vpn 21:15 < rmull> Okay, let's see 21:16 < rmull> Yeah man, off the top of my head I'm not sure 21:16 < dgilmore> im trying to go from 3 CA's to 1 21:19 < dgilmore> --ns-cert-type client|server 21:19 < dgilmore> i think that will do what i want 21:19 < dgilmore> rmull: cheers 21:37 -!- near [n=near@83-155-185-247.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@91-172-127-8.rev.libertysurf.net] has joined ##openvpn 21:43 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] --- Day changed Sat Aug 16 2008 01:37 -!- dgilmore [n=dgilmore@fedora/dgilmore] has left ##openvpn [] 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:51 < kala> uh, dgilmore left 02:52 < kala> I think there is a way ... to use --auth-user-pass-verify option and then cook up a specific script, which verifies the user's DN which is in the certificate 02:53 < kala> but then the client needs to give dummy --auth-user-pass file option 02:57 < kala> no, there is a better way. --tls-verify cmd 02:57 < kala> I'm planning this kind of setup as well, so I had to look it up :) 04:24 -!- Axet [n=john@glou.nurvnet.org] has joined ##openvpn 04:24 < Axet> Hi all, I've set up my openvpn with client-conf-dir but it doesn't push out the ip I specified in the ccd directory for my client 04:25 < Axet> any ideas ? 04:25 < Axet> what did I do wrong ? :) 04:33 < krzee> just let openvpn give the ip and use ipp.txt to always give the same one 04:41 < Axet> krzee: isn't it possible to use ccd for that ? 04:44 < krzee> dont believe so 04:44 < krzee> it also would be a much bigger pita 04:49 < Axet> krzee: currently openvpn isn't pushing any ip at all 04:49 < Axet> krzee: doesn't it use a default ip range if none is specified ? 04:49 < krzee> bridge or routed? 04:49 < Axet> routed 04:49 < krzee> first ip is .6 04:49 < krzee> it uses /30 subnets 04:50 < Axet> I want it to use 10.0.1.0/30 04:50 < krzee> umm, thats the server 04:50 < Axet> I don't get it ... I'm not understanding something 04:50 < krzee> first client gets the next /30 04:51 < krzee> server keeps .1/30 for itself 04:51 < Axet> what for ? doesn't it use 10.0.1.1 for itself and 10.0.1.2 for the client ? 04:51 < krzee> no 04:51 < Axet> how come ? 04:51 < krzee> as i said, each client gets a /30 04:51 < krzee> that makes the next ip .6 04:52 < krzee> s/client/machine 04:52 < Axet> but the server has an ip in each /30 doesn't it ? 04:52 < Axet> so it's on the same network 04:53 < Axet> if I were to use the next /30 my client would get 10.0.1.6 and the server would use 10.0.1.5 right ? 04:53 < krzee> !/30 04:53 < vpnHelper> krzee: Error: "/30" is not a valid command. 04:53 < Axet> !prefix 30 04:53 < vpnHelper> Axet: Error: "prefix" is not a valid command. 04:53 < krzee> !learn /30 as http://openvpn.net/index.php/documentation/faq.html#slash30 04:53 < vpnHelper> krzee: The operation succeeded. 04:54 < krzee> there ya go 04:54 < krzee> !/30 04:54 < vpnHelper> krzee: "/30" is http://openvpn.net/index.php/documentation/faq.html#slash30 04:54 * Axet is reading 04:56 < Axet> well I was right about the server using an ip for itself in the /30 04:56 < krzee> yup, but it wont respond to that address 04:57 < krzee> If you know that only non-Windows clients will be connecting to your OpenVPN server, you can avoid this behavior by using the ifconfig-pool-linear directive. 04:59 < Axet> I use openvpn for site to site vpns mainly 04:59 < Axet> between linux hosts 05:01 < Axet> but since I do occasionnaly connect from windows machines I'd like to keep a config that is multiplatform compatible 05:01 < krzee> then you should know what to do 05:01 < krzee> live with the /30 ;] 05:01 < Axet> =) 05:02 < krzee> could try using .6 in your ccd/ 05:02 < krzee> .10 as your next ip 05:07 < Axet> does this look correct to you ? : ifconfig-push 10.0.1.6 10.0.1.5 05:08 < Axet> ah looks as if it'ws working 05:08 < krzee> no idea, i never considered trying it 05:08 < krzee> i'ld just doctor up a ipp.txt based on the entry from the first client to connect 05:08 < krzee> 1 file = easier management 05:09 < Axet> !ipp.txt 05:09 < vpnHelper> Axet: Error: "ipp.txt" is not a valid command. 05:09 < Axet> !ipp 05:09 < vpnHelper> Axet: Error: "ipp" is not a valid command. 05:09 < Axet> :p 05:09 < krzee> its not there 05:09 < krzee> tried reading the docs? 05:09 < krzee> !howto 05:09 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:10 < krzee> man page is good too 05:10 < krzee> !man 05:10 < vpnHelper> krzee: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 05:10 < krzee> but the main explanation of ipp.txt ive seen is in the config file 05:11 < krzee> which you can see by searching for ipp.txt in the howto 05:12 < Axet> vpn works =) 05:12 < krzee> i take it back 05:12 < krzee> you were right on your method 05:12 < krzee> from man page: They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push 05:12 * krzee eats his words 05:12 < Axet> ok :) 05:12 < Axet> I prefered using ccd anyway 05:12 < Axet> that way I can add extra push options if needed 05:13 < Axet> and that way I only have 1 file to manage per client 05:13 < Axet> with all the options for each client in one files 05:14 < krzee> OpenVPN's internal client IP address selection algorithm works as follows: 05:14 < krzee> 1 -- Use --client-connect script generated file for static IP (first choice). 05:14 < krzee> 2 -- Use --client-config-dir file for static IP (next choice). 05:14 < krzee> 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 05:14 < Axet> ok great 05:15 < Axet> now I need to have a go with quagga =) 05:15 < krzee> --ifconfig-push local remote-netmask 05:15 < Axet> could I use that option to use different netmasks ? 05:15 < krzee> without the /30 netmask it's working with 2 clients 05:15 < Axet> I'm interested in using /31 netmasks 05:15 < krzee> there is no /31 05:15 < krzee> heh 05:15 < Axet> yes there is 05:16 < Axet> RFC3021 05:16 < Axet> people call me stupid everytime I talk about /31 netmasks ... :p 05:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:17 < Axet> but it exists 05:17 < krzee> This would be the host table if a /31, if it existed: 05:17 < krzee> Network part Subnet . Host part Host Address 05:17 < krzee> 192.168.1.32 0010000.0 UNUSABLE - HOST PART IS ALL 0's 05:17 < krzee> 192.168.1.33 0010000.1 UNUSABLE - HOST PART IS ALL 1's 05:17 < Axet> http://www.faqs.org/rfcs/rfc3021.html 05:17 < vpnHelper> Title: RFC 3021 (rfc3021) - Using 31-Bit Prefixes on IPv4 Point-to-Point Links (at www.faqs.org) 05:18 < krzee> 192.168.1.4/30 05:18 < krzee> 192.168.1.4 -- Network address 05:18 < krzee> 192.168.1.5 -- Virtual IP address in the OpenVPN Server 05:18 < krzee> 192.168.1.6 -- Assigned to the client 05:18 < krzee> 192.168.1.7 -- Broadcast address. 05:18 < krzee> doesnt look very rfc3021 compliant, due to reasons you already read 05:19 < Axet> I'm not saying that it'll work with openvpn, I'm saying that /31 netmasks exist 05:19 < krzee> [06:01] but since I do occasionnaly connect from windows machines I'd like to keep a config that is multiplatform compatible 05:19 < krzee> [06:01] then you should know what to do 05:19 < krzee> [06:01] live with the /30 ;] 05:19 < krzee> [06:15] I'm interested in using /31 netmasks 05:19 < Axet> krzee: I can mix the 2 05:20 < Axet> use one ip range for site 2 site vpns and the other range for clients 05:20 < Axet> and use /30 for clients 05:20 < krzee> give it a shot if you wanna deal with keeping track of it 05:20 < krzee> ild think it would work 05:20 < krzee> but have no clue 05:21 < Axet> I'd rather trust your openvpn expertise on this one :) 05:21 < Axet> I need to finish moving all the services from my old box to this new one before the 20th 05:21 < Axet> =) 05:21 < krzee> is there a reason you dont want /30? 05:21 < Axet> I'm using vservers for the first time 05:21 < krzee> gunna run out of ips? 05:21 < Axet> krzee: no, I was just interested in trying it out 05:22 < krzee> ahh 05:22 < krzee> well if you end up testing it im interested in knowing how it went 05:22 < Axet> ok :) 05:22 < krzee> not cause i'll ever do it, but just curiosity since you posed the ? 05:23 < Axet> every played with vservers yourself ? 05:23 < Axet> -y 05:23 < krzee> virtualization? 05:23 < Axet> yes but specifically using vserver 05:24 < krzee> done it with xen on freebsd, parallels and vmware on osx, vmware in win 05:24 < Axet> it's not the same thing 05:24 < krzee> from a quick google vserver looks like its linux 05:24 < Axet> xen and vmware emulate hardware 05:24 < Axet> vserver shares the server's hardware and kernel 05:24 < Axet> it's based on chroot technology 05:24 < krzee> like freebsd jails? 05:24 < Axet> yeah 05:24 < krzee> k 05:25 < krzee> nah never hearda it 05:25 < krzee> sounds cool tho 05:25 < Axet> It's sort of a pain in the butt dealing with devices 05:25 < krzee> i know jails for fbsd are very nice 05:25 < Axet> I have to create them manually for the vserver 05:25 < Axet> http://linux-vserver.org/Welcome_to_Linux-VServer.org 05:25 < vpnHelper> Title: Welcome to Linux-VServer.org - Linux-VServer (at linux-vserver.org) 05:25 < krzee> thats a good thing, only access to the devices you specify 05:25 < Axet> yep 05:26 < Axet> good for security but adds extra work to set it up ;) 05:26 < krzee> ahh 05:26 < krzee> good trade 05:26 < Axet> hehe 05:26 < Axet> well thanks for the help with the /30 issue 05:26 < Axet> and pointing out the help ^^ 05:27 < krzee> np man 05:27 < Axet> didn't know about the first /30 issue 05:37 < Axet> krzee: is it normal that my client gets a 255.255.255.255 netmask ? 05:37 < Axet> shouldn't it match the server's netmask ? 05:39 < krzee> cant check right now, is it working? 05:39 < krzee> ie: you can ping 05:40 < Axet> it works with either setting but I can't reach any of the server on the vserver host 05:40 < Axet> it might be something else 05:40 < krzee> vserver host = behind server or client? 05:40 < Axet> the vserver host is hosting the openvpn server 05:41 < Axet> the client is my lan's router 05:41 < Axet> th vserver host is a box I rent that I intend using among other things to interconnect sites 05:41 < krzee> the vservers have their own network? 05:42 < Axet> yes 05:42 < Axet> 10.1.0.0/24 05:42 < krzee> you pushed the route to it to clients? 05:42 < Axet> my lan is 10.2.0.0/24 05:42 < Axet> i entered it manually 05:42 < krzee> do it through openvpn 05:42 < Axet> ok 05:43 < krzee> and if the lan behind the client needs to have access to the vpn 05:43 < krzee> !iroute 05:43 < vpnHelper> krzee: "iroute" is does not bypass the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 05:44 < krzee> in fact iroute could be the solution for both of those, ild hafta play with the setup a lil to know 05:44 < Axet> it's either a routing or firewall issue, I'll figure it out thxs 05:44 < Axet> I can now ping the vserver from the router on my lan 05:44 < krzee> np 05:45 < krzee> just now when you send packets at openvpn and IT doesnt already know about the network (even tho kernel does) you'll need iroute 05:45 < krzee> cause otherwise you get "MULTI" errors 05:45 < Axet> I'll check the logs now 05:45 < krzee> MULTI: received packets but didnt know what to do with them 05:46 < krzee> or somethin like that 05:46 < Axet> MULTI: bad source address from client [10.2.0.185], packet dropped 05:46 < Axet> like that ? :) 05:46 < krzee> aye 05:46 < Axet> :D 05:46 < Axet> good thing you mentionned that :p 05:46 < krzee> hehe 05:46 < krzee> btw always check logs first 05:47 < krzee> and use verb6 when testing 05:47 < krzee> can lower it after 05:47 < krzee> just now when you send 05:47 < krzee> meant know 05:48 < Axet> iroute is to add routes for networks behind clients right ? 05:49 < krzee> !learn multi as the error MULTI: bad source address from client [IP], packet dropped means you sent packets at openvpn and it doesnt already know about the network (even tho kernel does) please see !iroute 05:49 < vpnHelper> krzee: Error: "IP" is not a valid command. 05:49 * Axet reads vpnHelper's output and answer's his own question 05:49 < krzee> iroute lets openvpn know what to do with packets it gets but doesnt know what to do with 05:49 < krzee> since multiple clients go through 1 tunnel 05:49 < krzee> kernel sends packets at tunnel interface because kernel says to 05:49 < krzee> openvpn gets it and says WTF 05:49 < Axet> how rude ! ;) 05:50 < krzee> but after you add an iroute, openvpn says oh that goes to client X 05:50 < krzee> iroute = internal route i believe 05:50 < krzee> i havnt seen that said, but its my conclusion 05:50 < krzee> since its only for openvpn internals 05:50 < krzee> kernel route still has to get the packets to openvpn 05:51 < Axet> krzee: if I add an iroute entry to my ccd file will openvpn add the kernel route ? 05:51 < krzee> nope 05:51 < Axet> ok so it's just so openvpn accepts it 05:52 < krzee> !forget iroute 05:52 < vpnHelper> krzee: The operation succeeded. 05:52 < krzee> !learn iroute as does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 05:52 < vpnHelper> krzee: The operation succeeded. 05:52 < Axet> works ! 05:52 < Axet> I can reach the vservers from a client on my lan behind the router =) 05:52 < krzee> =] 05:53 < krzee> im loving my new bot 05:53 < Axet> lol 05:53 < Axet> eggbot ? 05:53 < krzee> makes this stuff so much easier! 05:53 < krzee> supybot 05:53 < krzee> eggdrops are more useful for efnet 05:55 < Axet> iroutes are great ! 05:55 < Axet> I might stick to static routing a bit longer 07:35 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 07:37 < ecrist> morning, kids 07:37 < Axet> hi 07:52 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 07:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:00 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 10:13 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 10:24 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 10:28 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 10:53 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 10:53 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit [Client Quit] 11:14 -!- djs [n=djs@unaffiliated/djs26] has quit [Dead socket] 11:24 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 12:10 -!- cferthorney [n=cferthor@cpc5-papw1-0-0-cust957.cmbg.cable.ntl.com] has joined ##openvpn 12:10 -!- cferthorney [n=cferthor@cpc5-papw1-0-0-cust957.cmbg.cable.ntl.com] has left ##openvpn [] 12:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:16 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 13:17 -!- djs [n=djs@unaffiliated/djs26] has quit [Nick collision from services.] 13:17 -!- djs26 is now known as djs 14:17 -!- Alex [i=hauntedu@goatse.co.uk] has quit [Remote closed the connection] 16:04 -!- snowboarder04 [n=un@serv.bemail.co.uk] has left ##openvpn [] 16:29 -!- DGnome [i=mindre@mupp.fi] has quit [Read error: 60 (Operation timed out)] 17:44 -!- ^scott^ [n=scott@stthom.org] has quit ["My damn controlling terminal disappeared!"] 18:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 19:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 21:39 -!- near [n=near@91-172-127-8.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- near [n=near@83-153-92-109.rev.libertysurf.net] has joined ##openvpn 23:54 -!- level1 [n=level1@c-24-130-211-171.hsd1.ca.comcast.net] has joined ##openvpn --- Day changed Sun Aug 17 2008 00:28 -!- erstazi [n=erstazi@unaffiliated/erstazi] has joined ##openvpn 00:28 -!- erstazi [n=erstazi@unaffiliated/erstazi] has left ##openvpn [] 00:30 -!- jthan [n=jthan@216-164-31-198.c3-0.smt-ubr2.atw-smt.pa.cable.rcn.com] has joined ##openvpn 00:49 < ecrist> hey kids 00:50 < jthan> Anyone familiar with OpenVPN Client setup on Vistax64 Ultimate? 00:52 < ecrist> meh 00:53 < jthan> Very nice. 00:58 < ecrist> there is some experience, what's your problem? 00:59 < jthan> Well It keeps saying that "All TAP-Win32 Connections are busy "when I try to start OpenVPN.. even if I add new ones. I tried running as an admin, restarting, reinstalling a few times. 00:59 -!- Mitchix [n=chatzill@pool-71-177-180-94.lsanca.fios.verizon.net] has joined ##openvpn 01:02 < Mitchix> good evening i'm hoping i've done all the hard part.. and now this will just be something easy... OpenVPN 2.0.9 (mipssel-linux) everything works, unless i use daemon mode... then none of the Virtual addressing works 01:04 < ecrist> jthan - are you *sure* you're running as admin? 01:04 < ecrist> Mitchix: what do you mean by Virtual addressing? 01:05 < jthan> ecrist: yes. But I think I might have just discovered my problem. I forgot AVG was running as *hidden* and therefore I forgot all about it. so let me try with that OFF. If that's the problem I'm shooting myself 01:05 < ecrist> ok 01:06 < jthan> Eh. Nvmd. No such luck 01:07 < Mitchix> sorry was afk.. for a min 01:07 < jthan> ecrist: anyway, def. admin 01:08 < Mitchix> ecrist if you have a openvpn.status file it shows routes plus the address class's.. in daemon mode only the base routes show up.. not the subnet behond the vpn 01:10 < krzee> how do you call openvpn manually? 01:10 < ecrist> jthan - weird. there have been other users here under 64bit Vista w/o problems. 01:10 < ecrist> they might have been using 2.1.x though. 01:10 < ecrist> Mitchix: what OSes, and can you pastebin your config, please? 01:10 < jthan> ecrist: sucks.. 01:11 < krzee> ya ecrist's request is better than my question 01:11 < krzee> !configs 01:11 < vpnHelper> krzee: Error: "configs" is not a valid command. 01:12 < krzee> !learn configs as please pastebin your client and server configs, also include which OS and version of openvpn. 01:12 < vpnHelper> krzee: The operation succeeded. 01:12 < ecrist> hurry, folks. wife's gonna want some nookie soon. 01:12 < Mitchix> krzee starting with just openvpn server.conf everthing works... if i start with openvpn --daemon --config server.conf then i can only ping the vpn servers/clients (1 server 5 clients right now) 01:12 < ecrist> and nookie > * 01:12 < krzee> haha 01:12 < krzee> Mitchix 01:12 < krzee> !configs 01:12 < krzee> and 01:12 < vpnHelper> krzee: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 01:12 < krzee> !logs 01:12 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:13 < ecrist> !learn logs as please pastebin your logfiles from both client and server with verb set to 6 01:13 < vpnHelper> ecrist: The operation succeeded. 01:13 < Mitchix> no logs.. this is all running on openwrt.. looking up pastbin usage 01:14 < ecrist> Mitchix: it's not hard - go to www.pastebin.com - copy text, click Paste/Save/whatever-button-says 01:14 < ecrist> copy link from address bar, paste url here. 01:14 < krzee> ecrist, whyd you remake logs? 01:14 < krzee> !logs 01:14 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) please pastebin your logfiles from both client and server with verb set to 6 01:14 < krzee> !forget logs 2 01:14 < vpnHelper> krzee: The operation succeeded. 01:17 < krzee> !learn pastebin as a site [ www.pastebin.com | www.pastebin.ca ] where you can paste stuff, and are given a link to give to people who can then help you 01:17 < ecrist> Mitchix: please post your configs 01:17 < vpnHelper> krzee: Error: "www.pastebin.com" is not a valid command. 01:17 < krzee> whoa 01:17 < krzee> !pastebin 01:17 < Mitchix> i'm getting them... 01:17 < vpnHelper> krzee: "pastebin" is please paste anything with more than 5 lines into pastebin or a similar website 01:18 < krzee> ahh thats already a definition too, ill leave it 01:19 < Mitchix> http://pastebin.com/d5ccccb31 server config and one client config 01:19 < Mitchix> i'm getting the screen's that i'm talking about.. take me about 1-2 min's 01:22 < krzee> ### (optional) make local network behind the VPN server accessible for the VPN clients 01:22 < krzee> #push "route 192.168.1.0 255.255.255.0" 01:22 < krzee> would that work? you can push from client? 01:22 < krzee> to server... 01:22 < krzee> ild assume not 01:23 < krzee> also, its not your problem but do you need tcp? 01:23 < krzee> !tcp 01:23 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:23 < Mitchix> krzee if i start with out the --daemon all routing works i can ping servers and i can ping clients on both sides of all networks 01:24 < ecrist> Mitchix: your routes are flawed, you could simplify them 01:25 < Mitchix> simplifty them how? don't understand the flaw... (i didn't include the ccd files but they are just the like all the documention says) 01:25 < ecrist> 192.168.0.0/21 01:25 < krzee> Mitchix, i think logs would be helpful 01:25 < krzee> ecrist, it needs to keep its normal route for .2.0/24 01:25 < ecrist> one route, 192.168.0.0 255.255.248.0 01:26 < krzee> (or lose communication in its lan) 01:26 -!- jthan [n=jthan@216-164-31-198.c3-0.smt-ubr2.atw-smt.pa.cable.rcn.com] has left ##openvpn [] 01:27 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 01:27 < ecrist> krzee: what're you talking about? 01:28 < krzee> push "route 192.168.2.0 255.255.255.0" 01:28 < ecrist> Mitchix: you're missing "push" before lines 27-32 01:28 < krzee> if hes pushing that route to clients, it is behind the vpn 01:29 < krzee> he is pushing the clients a route to his lan behind the server 01:29 < krzee> and telling his server to add routes to send other ip addresses through openvpn 01:29 < ecrist> krzee: he's pushing 8 subnets, actually. 01:29 < krzee> which he should have corresponding iroutes for 01:29 < ecrist> ahhh 01:29 < krzee> no, he isnt 01:30 < krzee> he only has 1 lan behind his server 01:30 < krzee> the rest belong to clients that should have iroutes in ccd entries 01:30 < ecrist> well, tbh, openvpn isn't really the place to put those routes, imho. 01:30 < krzee> thats how hes letting the kernel know about them 01:30 < krzee> i disagree 01:30 < krzee> its the perfect place! 01:30 < krzee> where would you put them? 01:30 < Mitchix> yes i'm pushing multi nets one per connection 01:31 < krzee> erm 01:31 < ecrist> :P 01:31 < Mitchix> http://pastebin.com/d747eab1b this is the openvpn.status files.... 01:31 < krzee> Mitchix, are you doing what i explained? 01:31 < krzee> or is there more than 1 lan behind your server? 01:31 < Mitchix> the first one is with deamon.. the second is with out just from prompt 01:31 < ecrist> Mitchix: is there more than one lan subnet behind the VPN server? 01:31 < krzee> verb 6 Mitchix 01:32 < krzee> is that even a logfile 01:32 < krzee> !sample 01:32 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:32 < ecrist> krzee: he pasted a status file, not a log file. 01:32 < krzee> ahh 01:32 < Mitchix> vpn server is 192.168.2.0 each client connects and has one net behind it.. 192.168.1.0/24 another client 192.168.3.0/24 01:33 < krzee> right 01:33 < krzee> so you arent pushing multiple networks 01:33 < ecrist> Mitchix: push those routes. 01:33 < Mitchix> yes... status files show the routing working.. and it's all happy.. unless i start it as daemon.. then it does not add the /c and /24 routes 01:33 < krzee> the thing is, you gotta push them in ccd. 01:33 < krzee> ccd/ 01:34 < krzee> cause you dont wanna push the route to the lan that is behind the client 01:34 < ecrist> no, he can push them as I said. 01:34 < Mitchix> it's 7 offies... with one class C in each office 01:34 < krzee> ecrist, wont that mess up routing to the lan of the client? 01:34 < ecrist> no 01:34 < ecrist> well 01:34 < Mitchix> yes it does.. i did that all ready... 01:34 < krzee> why wouldnt it? 01:34 < ecrist> yes, you're right krzee 01:34 < ecrist> ccd is the right place 01:35 < Mitchix> it puts 2 entrys in the routing table and it doesn't know what one to use.. 01:35 < ecrist> omitting the local LAN for each client 01:35 < krzee> it knows which one, but its the wrong one 01:35 < krzee> hehe 01:35 < ecrist> Mitchix: you need a ccd entry for each client, pushing all the LAN routes *other* than it's own LAN. 01:35 < Mitchix> yes i have that... 01:36 < krzee> and with the iroute for the lan you dont push 01:36 < Mitchix> using there Cname... 01:36 < ecrist> can you show me that? 01:36 < krzee> you can just show one ccd entry 01:36 < krzee> can just paste it in here too 01:36 < krzee> err not 1 entry, 1 file 01:36 < Mitchix> iroute 192.168.1.0 255.255.255.0 01:36 < Mitchix> that is Route1 01:36 < krzee> no pushes? 01:36 < Mitchix> the office that we're testing 01:37 < Mitchix> if i put push it doesn't work 01:37 < krzee> no no 01:37 < krzee> lets say 1.0 should talk to 3.0 lans 01:37 < krzee> it would need to know the route 01:37 < Mitchix> if i put the push in the ccd file it does not work.. i have to put it in the 01:37 < krzee> you gotta push the route to all other client lans 01:37 < krzee> or they wont be able to talk 01:38 < Mitchix> its a little confusing the Server is on net 2... 1 3 4 5 6 7 are the client networks 01:38 < krzee> right 01:38 < ecrist> we figured that out... 01:38 < krzee> so 1 needs a pushed route in its ccd entry for 3,4,5,6,7 01:38 < krzee> or 1 wont know how to route to 3,4,5,6,7 01:39 < krzee> your iroute is correct tho 01:39 < krzee> each ccd entry needs a pushed route to all other client lans 01:39 < Mitchix> they are in the main file with the Route and the Iroute tells vpn what to do when they get there 01:39 < krzee> and iroute for its own 01:39 < ecrist> krzee - you should write up some nice docs on my wiki for that sort of thing. 01:39 < krzee> joogot a wiki!? 01:39 < ecrist> I would, but I don't usually have time. 01:39 < krzee> yes, yes i should 01:39 < Mitchix> that is if i want the clents to be able to talk with each other... right now they only need to talk to the server... and the server needs to talk with all of them 01:40 < ecrist> krzee: https://www.secure-computing.net/wiki 01:40 < krzee> i can copy and paste some of these conversations 01:40 < vpnHelper> Title: Main Page - Secure Computing Wiki (at www.secure-computing.net) 01:40 < krzee> thats how i come up with the !commands 01:40 < ecrist> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 01:40 < vpnHelper> Title: OpenVPN Server - Secure Computing Wiki (at www.secure-computing.net) 01:41 < Mitchix> what i don't understand is why it works unless i start it as a daemon... 01:41 < krzee> we dont either, cause you havnt posted logs 01:42 < ecrist> Mitchix: if it's as you describe, could be a bug in wrt, or openvpn in priv dropping. 01:42 < Mitchix> you have any idea what a PITA getting logs from openwrt box is like 01:42 < krzee> nope 01:42 < ecrist> i.e. privs are getting dropped before routes are built in daemon 01:42 < krzee> thats why i dont mod my router 01:42 < Mitchix> esp at log level 6 01:42 < krzee> heheh 01:43 < ecrist> Mitchix: asking for logs is far from unreasonable. :\ 01:43 < krzee> ya without them we cant be much more help 01:43 < krzee> although we did solve a problem you had yet to notice 01:43 < krzee> which is always handy 01:43 < Mitchix> i'm not disagreeing with you.. it's how i fixed a number of issues.. but they just scrool by 01:44 < Mitchix> the multi push's.. i had them in.. removed them to simplify the config files 01:44 < krzee> turn up your buffer lines and copy / paste 01:44 < krzee> well you have client to client, which makes me think you want 1. to talk to 3. 01:44 < krzee> without them as i said you wont be able to 01:45 < Mitchix> no.. i'm setting up nagios and it lives on the .2 network... and needs to see everyone... anything else is just extra... 01:45 < krzee> ecrist, can you make an openvpn section to the wiki? 01:45 < Mitchix> but in daemon mode it does not forward ANYTHING except from the routers 01:45 < krzee> ill add stuff to it as it comes up 01:46 < krzee> oh then you can remove client-to-client 01:46 < Mitchix> ok.. give me a min.. i have to figure out how to get it to write a file... 01:46 < ecrist> :( my wife is snoring. 01:46 < Mitchix> ya i just hand not done it yet... 01:46 < krzee> ouch 01:46 < Mitchix> or put the push's back in... 01:46 < krzee> no nookie for youuuu 01:46 < ecrist> krzee: I allow anon edits - create an account and go to town. 01:46 < krzee> ecrist, just push a route to her ;] 01:47 < Mitchix> btw thank you so much for the help.. i've been able to answer all the other issue(related to openvpn) with google.. 01:47 < krzee> np 01:47 < krzee> its always nicer to help people who bothered to read the docs 01:47 < krzee> (and google) 01:48 < krzee> ecrist, i can add to miscellaneous on the left? 01:49 < ecrist> oh, you want a menu option? hang on 01:49 < krzee> cool thx 01:50 < ecrist> done 01:50 < krzee> sweet 01:51 < krzee> !learn wiki as https://www.secure-computing.net/wiki/index.php/OpenVPN 01:51 < vpnHelper> krzee: The operation succeeded. 01:57 < Mitchix> ok have one log file... need the broken one.... 02:02 < krzee> !iroute 02:02 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 02:06 < ecrist> g'night 02:06 < krzee> nite 02:09 -!- Zylogue [n=Zylogue@wsip-98-174-167-3.ok.ok.cox.net] has joined ##openvpn 02:10 < Mitchix> well at first glance.. it seems to be permission issue... in daemon mode it's not reading the ccd file 02:10 < Mitchix> Sat Aug 16 23:54:21 2008 us=562043 Router7/71.118.143.251:1858 OPTIONS IMPORT: reading client specific options from: ccd//Router7 02:10 < Mitchix> this is missing from the daemon version... 02:11 < Zylogue> greetings all! I'm having a bit of difficulty connecting a linux openvpn client to an openvpn service running on a dd-wrt router. as root I run 'openvpn static-home.conf' and the last line displayed is "UDPv4 link remote: 68.12.147.213:1194" 02:11 -!- level1 [n=level1@c-24-130-211-171.hsd1.ca.comcast.net] has quit [Remote closed the connection] 02:11 < krzee> !logs 02:11 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 02:11 < krzee> oh and greetings =] 02:11 < Zylogue> nothing else has displayed in the term for over 5 mintues 02:12 < krzee> verb is set to 6? 02:15 < Zylogue> OK, it looks as though I have a misconfigured .conf file. back to vim! 02:16 < Mitchix> thank you thank you thank you.. as i love to say.. "I'M NOT A COMPLETE IDIOT.... PARTS ARE MISSING" 02:16 < krzee> you figured it out? 02:16 < Mitchix> I had "Client-config-dir ccd/ 02:17 < Mitchix> i needed to have FULL PATH /etc/openvpn/ccd 02:17 < krzee> ahhhhh right 02:17 < krzee> ya i always use full paths 02:17 < krzee> good catch 02:18 < Mitchix> so of course it worked right when i started if from command line (in /etc/openvpn/)... but when throws me is i started it with --daemon in the /etc/openvpn dir... and it still pucked... 02:18 < Mitchix> and usaly do ... that one just sliped right on in there... 02:19 < krzee> Mitchix, if you would stick around for a minute ild appreciate 02:19 < krzee> to checkout my writeup inspired from this 02:20 < Mitchix> sure.... holding breath;) 02:20 < krzee> and tell me if its understandable 02:20 < krzee> haha 02:20 < Mitchix> ok.. i can read.. just don't ask me to write anything... 02:20 < krzee> haha np 02:21 < Mitchix> i'm restarting all the openvpn's backup... so i won't be far 02:24 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 02:26 < Mitchix> they are all up and happy:D again thank you so much for the help 02:27 < krzee> you're welcome 02:29 < Zylogue> if i'm using a key file, why does the client require a ca? 02:30 < krzee> hah i need to figure out how to use the wiki 02:30 < krzee> never set one up before 02:30 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN 02:30 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 02:30 < krzee> but theres the writeup 02:32 < krzee> --cert file 02:32 < krzee> Local peer's signed certificate in .pem format -- must be signed 02:32 < krzee> by a certificate authority whose certificate is in --ca file. 02:33 < krzee> how do you know if a cert is signed by the right CA without something to compare to 02:33 < krzee> cant just guess, gotta have a trusted CA 02:34 < krzee> same goes for web browsing, but browsers ship with trusted CA's and give you the option of allowing untrusted after alerting you 02:35 < Mitchix> You will need client-config-dir ccd/ in your server config file i would change all references to ccd/ to full path the ccd default(normal) is /etc/openvpn/ccd 02:35 < Mitchix> that's how it got there.. i just copy/pasted it 02:36 < Mitchix> your going to fix the wiki to have each route on it's own line? 02:36 < krzee> yes 02:36 < krzee> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. 02:37 < Mitchix> and i would reduce example to 3-4 route's not all 6-7 02:37 < Mitchix> yes.. much better.. example... /path/to/ccd/ 02:39 < Mitchix> also sugest copy the client1 to client2 and put example there also and highlight the missing PUSH 02:39 < krzee> huh? 02:41 < Mitchix> make 2 sample ccd/cleint1 and ccd/client3 show the iroute 's and push for each one and point out that you don't push that client's address block 02:41 < Mitchix> it really does mess up the router.. might not hurt if openvpn's not on the gateway... 02:42 < krzee> yes it would 02:42 < krzee> it would cut off all network access 02:42 < krzee> cause the router would be unreachable 02:42 < Mitchix> lol.. ya.. and it's a good thing i noticed before rebooting it... lol... 02:43 < krzee> (would be trying to reach router over vpn, but vpn would cease to exist because no communication with router) 02:45 < Mitchix> i broke dyndns updates on 7... so am dependant on the vpn to find it... till i get it fixed... 02:45 < Mitchix> next on my list.... 02:48 < krzee> https://www.secure-computing.net/wiki/index.php/OpenVPN 02:48 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 02:51 < krzee> there 02:51 < krzee> all better 02:51 < krzee> !lan 02:51 < vpnHelper> krzee: Error: "lan" is not a valid command. 02:51 < krzee> !lans 02:51 < vpnHelper> krzee: Error: "lans" is not a valid command. 02:52 < krzee> !learn lans as https://www.secure-computing.net/wiki/index.php/Multiple_Lans%3B_route%2C_push_route%2C_iroute 02:52 < vpnHelper> krzee: The operation succeeded. 02:52 < krzee> !learn lan as you can NOT run both endpoints of openvpn on the same LAN. 02:52 < vpnHelper> krzee: The operation succeeded. 02:53 < Mitchix> reading 02:56 < krzee> !forget lans 02:56 < vpnHelper> krzee: The operation succeeded. 02:57 < krzee> !learn lans as https://www.secure-computing.net/wiki/index.php/Multiple_Lans-route-push_route-iroute 02:57 < vpnHelper> krzee: The operation succeeded. 02:57 < Mitchix> network 1.0 has a common-name of client1. In ccd/client1 02:57 < Mitchix> 192.168.3.0 LAN would have the following entry for its's ccd/ file: 02:57 < Mitchix> they should both be the same... 02:57 < krzee> huh? 02:58 < Mitchix> Full ip in both... and /ccd/filename 02:58 < Mitchix> network 192.168.1.0 has a common-name of client1. int he ccd./client1... 02:59 < Mitchix> netowkr 192.168.3.0 has a common-name of client3. in ccd/client3.... 02:59 < krzee> if i put client1 and client2 in both maybe some fool wont read more and try it, this way they get the point you name based on common-name 02:59 < krzee> but ill change the ip 02:59 < Mitchix> lol ok 02:59 < Mitchix> looks really good... 03:00 < Mitchix> in sep i have to redo all the rotuers (new version of openwrt) i'll convert to udp at that time 03:00 < krzee> k did that for other part too 03:00 < krzee> he route entries are telling his server to add a route for each of 192.168.1.0, 192.168.3.0, and 192.168.4.0 to its kernel's routing table 03:00 < krzee> easier on the eyes 03:01 < krzee> i strongly recommend it 03:01 < krzee> in fact ild do it sooner than later 03:01 < krzee> tcp-over-tcp really sucks that bad 03:01 < Mitchix> lol yes it is.. also for someone not fully understanding routing and ip's 03:01 < Mitchix> ya.. i'm seeing the packet loss already.. 03:01 < krzee> i tried voip on it and my calls just went further and further downhill til i had to hangup and startover 03:02 < krzee> which did not take long at all 03:02 < Mitchix> right now only traffic over the vpn is nagios 03:02 < krzee> either way 03:02 < krzee> doing it right now is easy 03:02 < krzee> going back and fixing it later takes more effort 03:02 < krzee> including remembering to care 03:02 < Mitchix> ROFLMOL... says U.... 03:03 < krzee> people setup stuff that works 1/2 right 03:03 < krzee> then they never fix it, cause it works "good enough" 03:03 < Mitchix> has to be chagned in all the config files(ok easy) and the firewall scripts... 03:03 < krzee> when they shoulda just taken the time to do it right during setup 03:03 < krzee> yanno? 03:03 < Mitchix> this is true... 03:04 < krzee> also 03:04 < krzee> you should setup secret.key 03:04 < krzee> its very easy to generate 03:04 < krzee> and worth doing 03:04 < Mitchix> it'll bug me and i'll fix it... but right now i can't till i fix dnydns or i'll lose a router 03:04 < krzee> it gives you HMAC verification on every packet 03:04 < krzee> so packets not meant for openvpn wont even be processed 03:04 < Mitchix> ya it's done... i just commented it out to keep things simple 03:05 < krzee> well when you uncomment it (like now ;] ) switch to udp 03:05 < krzee> hahah 03:06 < Mitchix> and watch my router vansih on me... config files don't get changed anymore till i know i'm not going to have a router vanish on me... 03:06 < Mitchix> had to drive 15 miles and sit out side with laptop last time to reconnect it... 03:08 < Mitchix> well again thank's for all the help it's time for me to examine the back of my eyelids 03:11 < krzee> np 03:11 < krzee> have a good night 03:12 -!- Mitchix [n=chatzill@pool-71-177-180-94.lsanca.fios.verizon.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] 03:50 < krzee> Wiki 03:51 < krzee> !iki 03:51 < vpnHelper> krzee: Error: "iki" is not a valid command. 03:51 < krzee> !wiki 03:51 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 04:33 -!- Zylogue [n=Zylogue@wsip-98-174-167-3.ok.ok.cox.net] has quit ["Leaving"] 04:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:24 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 05:58 -!- axu [n=axu@91.208.91.2] has joined ##openvpn 05:58 < axu> hello 06:00 < axu> i am setting up a site 2 site openvpn tunnel with tun. everything works perfect except the push routes hoesnt have an effect. im using 2 linux hosts. anyone a hint. also anyone a hint how i can set routes on the openvpnserver automatically when openvpn launches? 06:14 < krzee> which machine needs routes added to it? 06:15 < axu> krzee: first the client machine. i have 2 lines with push route in my servers config but the client ignores it it seems. then on the server at openvpn startup. i know i could do the second by hand butmy guess is openvpn has some --skkript filename option of some kind 06:16 < krzee> !lans 06:16 < vpnHelper> krzee: "lans" is https://www.secure-computing.net/wiki/index.php/Multiple_Lans-route-push_route-iroute 06:16 < krzee> ya something like --up script 06:16 < krzee> but un-needed 06:16 < axu> a, thank you i have a look at it right away :) 06:17 < axu> krzee: whya unneeded? 06:17 < krzee> i just wrote that up couple hours ago 06:17 < krzee> hope it helps 06:17 < krzee> script unneeded cause openvpn configs can do it 06:19 < axu> krzee: ok, i only have one client and one server, its site2site setup, so push "route 10.21.0.0 255.255.0.0" "route 10.22.0.0 255.255.0.0" should be set on the client. 06:20 < axu> on the serverside the should be 192.168.254.0 255.255.255.0 going to the clientip 06:20 < krzee> no 06:20 < krzee> client dont get anything 06:20 < krzee> server gets all 06:20 < krzee> route for local to server 06:20 < krzee> push route for it to happen to clients kernel config 06:22 < axu> krzee: i dont get it. the whole iroute concept doesnt compile with my brains 06:22 < krzee> its internal to openvpn 06:22 < krzee> !iroute 06:22 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 06:24 < axu> krzee: i have no clou what the kernel is pointing to or what openvpn knows about any networks, i dont get it 06:25 < krzee> i guess its pretty hard to learn networking and openvpn at the same time 06:25 < krzee> might wanna start with networking 06:25 < krzee> or maybe someone else can help later 06:25 < krzee> im watching efnet get owned, then to bed 06:25 < axu> krzee: i think i have a little of a clou on networking 06:25 < axu> krzee: ok, thank you for the help 06:26 < axu> anyone able to tell me how iroute could help me in any ways? 06:28 < axu> push "route 192.168.2.0 255.255.255.0" push "route 192.168.3.0 255.255.255.0" .... in the servers config, should set a route at the client. i dont understand why this should not be the case. but, ok, it isnt :) 06:45 < axu> mhm, has the client to be somehow configured to accept push route ? 06:49 < axu> has anyone a hint besides the howto? or dokumentation. for i didnt find much about why my routes aren pushed to the clients in there. 06:53 < krzee> !logs 06:53 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 06:53 < krzee> efnet is still getting owned, cant goto bed yet 06:54 < axu> krzee: ok, got it to 8, im lowering it, mom 06:54 < krzee> i wont be mad at 8 06:55 -!- djs [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 06:59 < krzee> omfg 06:59 < krzee> 8am 06:59 < krzee> nm i better sleep 06:59 < krzee> but you should pastebin logs and configs 06:59 < krzee> ecrist will prolly be up soon 06:59 < krzee> or someone else 07:01 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 07:02 -!- djs26 is now known as djs 07:09 < axu> krzee: ok, good night 07:09 < axu> http://pastebin.com/m74bf3254 07:09 < axu> here is my 2 configs + the logs from the 2 boxes 07:09 < axu> as i see it the server offers the routes, but the client simply ignores it 07:15 < axu> how about that push and pull thingy. but that needs tls says the logfile, so taht shouldnt be the problem either. i tried with pull in client config. 07:20 < rmull> krzee: You there bud? 07:20 < krzee> yes, but i really wanna sleep 07:20 < krzee> hey just keep owning #efnet 07:20 < krzee> after owning the servers and website 07:20 < rmull> Just have a glance at http://openvpn.deconfused.org, then sleep 07:20 < krzee> and its hard to not stay up and watch 07:20 < rmull> You can feel free to pull the stuff out of that and fit it into your wiki if you'd like 07:21 < rmull> Saw your list post :D 07:22 < rmull> I'm not really sure what the format for quick FAQ-style stuff would be in a wiki, so I'm letting you handle the final formatting. That and I'm lazy. 07:23 < krzee> nice man 07:23 < krzee> its ecrist's wiki 07:23 < krzee> im just posting to it =] 07:23 < krzee> thanx, link bookmarked 07:24 < rmull> ecrist: Ping sir 07:24 < rmull> Okay, gonna go start my day. It's nice to see we finally got a real wiki going - that should be quite helpful. 07:25 -!- rmull is now known as rmull_ 07:25 < krzee> agreed 07:25 < krzee> !wiki 07:25 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 07:25 < krzee> will compliment the bot nicely 07:26 < axu> ok, i did the routing stuff via scripts and up, but its not that nixe, the serverside does refuse to start if it gets killed because the route is allready there 07:26 < axu> can i tell openvpn not to mind what exitstatus the script tells openvpn ? 07:31 < krzee> could make a script call a script 07:31 < krzee> and the outter script exits well no matter what 07:31 < krzee> cause hey... it ran and finished! 07:31 < krzee> at least in theory 07:32 < krzee> but i really need sleep so dont take my word for it 08:21 < kaynine> !wiki 08:21 < vpnHelper> kaynine: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 08:21 * kaynine is pleased 08:31 -!- axu [n=axu@91.208.91.2] has quit [Read error: 110 (Connection timed out)] 08:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 < ecrist> rmull_: pong 09:02 < rmull_> ecrist: Just wanted to let you know that the info at http://openvpn.deconfused.org could probably be incorporated into the wiki 09:03 < vpnHelper> Title: Storage for Freenode's #OpenVPN FAQ (at openvpn.deconfused.org) 09:09 < ecrist> ah, alright 09:09 < ecrist> I'm getting ready to go out for the day - will look at it when I get home. 10:08 -!- ProN00b [n=dot@pD9E3B7F0.dip.t-dialin.net] has joined ##openvpn 10:12 < ProN00b> does anyone have a howto for setting up openvpn to act as a proxy ? 10:26 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 10:34 -!- itchi [n=David@unaffiliated/itchi] has joined ##openvpn 10:58 -!- kala [i=kala@uba.linux.ee] has quit [Remote closed the connection] 11:00 -!- ProN00b [n=dot@pD9E3B7F0.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 11:01 -!- ProN00b [n=dot@pD9E3A9E8.dip.t-dialin.net] has joined ##openvpn 11:08 -!- shadowhywind [n=shadowhy@adsl-68-76-157-68.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:08 < shadowhywind> anyone know of a way to manually set the ipaddress of a tap0 device? 11:08 < shadowhywind> or i should say set a static ip address for tap0 11:34 < itchi> Does anyone know where i can find info about openVPN and DDNS? Got somethings working but with a static entry. I saw in the OpenVPN book heading content that there's the word "zones". Someone read that book and can tell me if it's worth to buy this for my missing info? 11:34 -!- shadowhywind [n=shadowhy@adsl-68-76-157-68.dsl.akrnoh.ameritech.net] has quit [Read error: 110 (Connection timed out)] 11:34 < itchi> I want to get bind9 zones updated when a openvpn client connect 11:40 < itchi> Ah, with zones, they mean a zone in a firewall i guess 11:41 < itchi> as this is in that chapter Linux and Firewall. Well, i won't buy the book then :-p 11:50 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has joined ##openvpn 12:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:21 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 13:35 -!- onre [i=esp@static.fi] has quit [Read error: 110 (Connection timed out)] 14:02 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has joined ##openvpn 14:02 < sega01> hey 14:03 < sega01> does 2.5 beta have the recent fixes in 2.1? 14:03 < sega01> or has it just been given a few patches and left unmaintained? 14:04 < sega01> brb 14:06 -!- daemon [n=daemon@mail.daemoncore.org] has quit [Read error: 104 (Connection reset by peer)] 14:07 < ProN00b> does anyone have a howto for setting up openvpn to act as a proxy ? 14:07 < kaynine> ?"act as proxy"? .... you refer to "redirect-gateway" ? 14:09 < ProN00b> i am not sure 14:09 < ProN00b> you know the service "relakks" by chance ? 14:10 < kaynine> then maybe read about 'gateway' in the man page; and note also that the openvpn.net HOWTO is extremely good. 14:10 < kaynine> I do not know of relakks 14:13 < itchi> ProN00b: Do you want to create a VPN tor client? 14:15 < ProN00b> vpn, where the "pn" i connect to is the same internet my connection is coming from 14:33 -!- Ferdinandd [i=c914d38a@gateway/web/ajax/mibbit.com/x-b59cf4af30f298b3] has joined ##openvpn 14:33 < Ferdinandd> Is it possible to use bridge with static keys (--secret) ? 14:34 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 14:40 < kaynine> Ferdinandd: I'd say "yes" 14:52 < Ferdinandd> kaynine: I'm getting this: Options error: --server-bridge and --secret cannot be used together (you must use SSL/TLS keys) 14:56 < kaynine> Well, since I haven't configured either bridge or static, I'm the wrong person to be authoritative, but I haven't seen anything in any of the documentation to suggest that the two are mutually exclusive; so I defer to others 14:58 < Ferdinandd> kaynine: that's what I'm very confused ... the documentation does not mention SSL/TLS as needed for bridging 15:13 -!- daemon [n=daemon@mail.daemoncore.org] has quit [Connection reset by peer] 15:20 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 15:21 -!- Ferdinandd [i=c914d38a@gateway/web/ajax/mibbit.com/x-b59cf4af30f298b3] has quit ["http://www.mibbit.com ajax IRC Client"] 15:34 -!- daemon [n=daemon@mail.daemoncore.org] has quit [Connection reset by peer] 15:45 -!- daemon [n=daemon@mail.daemoncore.org] has joined ##openvpn 15:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:19 -!- shadowhywind [n=shadowhy@user-0c93gf5.cable.mindspring.com] has joined ##openvpn 16:19 < shadowhywind> hay all i am getting a Cannot allocate TUN/TAP dev dynamically error anyone have any ideas? 16:36 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has joined ##openvpn 16:36 < SirFunk> how can i tunnel all of my traffic on windows through my vpn? 16:38 -!- shadowhywind [n=shadowhy@user-0c93gf5.cable.mindspring.com] has quit [Remote closed the connection] 16:55 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 16:57 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit [Client Quit] 17:56 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:15 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 18:23 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has joined ##openvpn 19:06 < kaynine> SirFunk: redirect-gateway 19:45 -!- SirFunk [n=SirFunk@cpe-74-71-205-222.twcny.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 20:32 < ecrist> evening, kids 20:53 < ecrist> krzee/rmull: updates to wiki. 20:54 -!- mode/##openvpn [+o ecrist] by ChanServ 20:55 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/index.php/documentation/howto.html | Current Release OpenVPN 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin.com for >5 lines | Don't feed the trolls. 20:55 -!- mode/##openvpn [-o ecrist] by ecrist 21:19 -!- mhiku [n=mhiku@203.177.57.170] has joined ##openvpn 21:30 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [SendQ exceeded] 21:35 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 21:36 -!- burnin [n=burnin@204-228-142-194.ip.xmission.com] has quit ["Leaving"] 21:38 -!- near [n=near@83-153-92-109.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@83-155-190-107.rev.libertysurf.net] has joined ##openvpn 22:05 < ecrist> foo 22:10 < ecrist> rmull_: I've moved your FAQ into the wiki, https://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 22:10 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 22:11 < rmull_> ecrist: Cool, thanks, hope it helps 22:53 -!- mhiku [n=mhiku@203.177.57.170] has quit [Read error: 54 (Connection reset by peer)] --- Day changed Mon Aug 18 2008 00:32 -!- mhiku [n=mhiku@203.177.57.170] has joined ##openvpn 00:32 < mhiku> how to use openvpn together with tor? 00:39 < krzee> mhiku, no idea, and this next command is not for you 00:39 < krzee> !wiki 00:39 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 01:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 01:13 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 01:50 -!- manueld [n=manueld@unaffiliated/manueld] has joined ##openvpn 01:51 -!- manueld [n=manueld@unaffiliated/manueld] has left ##openvpn [] 02:19 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < kraut> moin 03:47 -!- shai [n=Shai@l192-117-110-233.cable.actcom.net.il] has joined ##openvpn 04:02 < shai> hi :) I'm trying to revoke a key and getting "unable to load certificate" 04:03 < shai> why is that? 04:05 < hawk> It's really the certificate that you're trying to revoke, right? 04:05 < shai> yes... 04:06 < shai> using: ./revoke-full my_laptop 04:14 -!- shai [n=Shai@l192-117-110-233.cable.actcom.net.il] has quit ["Leaving"] 05:34 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:38 -!- kala [i=kala@uba.linux.ee] has quit [Client Quit] 05:41 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:52 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 06:01 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 06:48 -!- ProN00b [n=dot@pD9E3A9E8.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 06:52 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 07:13 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 07:26 < ecrist> morning, folks 07:33 -!- rmull_ is now known as rmull 07:33 < rmull> morning ecrist 07:42 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 07:53 * cpm yawns 07:54 -!- mhiku [n=mhiku@203.177.57.170] has quit [Read error: 110 (Connection timed out)] 08:08 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 08:09 -!- Irssi: ##openvpn: Total of 33 nicks [0 ops, 0 halfops, 0 voices, 33 normal] 08:23 < ecrist> you know what would be a fun experiement? 08:23 < ecrist> on a large room, give some random, non-regular user ops, see what they do. 08:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 08:37 < cpm> go for it. 08:38 < ecrist> next random person that comes in, I'll ask chanserv to help them out. :) 08:38 < Optic> haha 08:40 < cpm> won' 08:40 < cpm> t work, We only allow identified user 08:40 < cpm> s 08:41 -!- Bheam [i=Bheam@77.94.234.164] has joined ##openvpn 08:41 < Bheam> does relaying work through vpn? say me and a friend create a vpn tunnel, then my friend has another tunnel with someone else.. will that someone else be able to reach me without having a direct vpn? 08:41 -!- mode/##openvpn [+o Bheam] by ChanServ 08:41 <@Bheam> err 08:41 <@Bheam> wt.? 08:42 < ecrist> ? 08:42 <@Bheam> @ ? 08:42 < ecrist> ? 08:42 <@Bheam> *shrug* 08:42 < ecrist> Bheam: that will work as long as the routes exist, or are created. 08:42 <@Bheam> cool 08:43 <@Bheam> so * ChanServ sets mode: +o Bheam 08:43 <@Bheam> what gives? 08:43 < ecrist> *shrug* 08:44 <@Bheam> so if me and my friend want 100% transparent network, we need to use same subnet and setup a bridged vpn right? 08:44 < ecrist> not really 08:44 <@Bheam> first time i try vpn :) 08:45 < ecrist> you can use routed vpn, and push the proper routes. 08:45 <@Bheam> but ipx and broadcasts don't go over routed it says 08:45 < ecrist> right. 08:45 < ecrist> for those protocols, you'd need bridged. 08:45 <@Bheam> so well 100% transparent include windows networking and old games :p 08:45 <@Bheam> doom 2 for teh win ;) 08:45 < ecrist> sure, why not? 08:45 < cpm> doom 2 == ipx 08:46 <@Bheam> well right 08:46 < ecrist> iirc, you can play doom2 across routes. 08:46 <@Bheam> i remember playing doom 2 with a coax cable across the street to my friend 08:46 <@Bheam> incidentally he pushed cable tv back through the same cable :D 08:46 < ecrist> didn't you just need to know the IP for who was hosting the 'server'? 08:47 <@Bheam> i don't remember doom2 having tcpip but i might be wrong 08:47 < cpm> don't think so. In fact, I know it didn't. At least originally. 08:48 < ecrist> I must be thikning of something else. 08:48 < ecrist> oh, quake 2 I think. 08:48 < ecrist> sorry. 08:48 <@Bheam> probably quake 08:48 <@Bheam> hehe 08:48 <@Bheam> anyway back to my question; for broadcasts to work we also need to be on the same subnet right? 08:48 < ecrist> of course. 08:48 < krzee> !google broadcast domain 08:49 < vpnHelper> krzee: http://en.wikipedia.org/wiki/Broadcast_domain - Broadcast domain - Wikipedia, the free encyclopedia 08:49 <@Bheam> so we need to divide up the subnet between us.. and i'll use a set of ips for static, some for dhcp and some for vpn bridge right? 08:49 < rmull> Broadcasts won't work unless your VPN is bridged, not tunneled. 08:49 <@Bheam> yea that i read :) 08:49 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 08:52 <@Bheam> but there's one part i don't get.. the syntax of server-bridge is 08:52 < ecrist> yep 08:53 <@Bheam> well since we're both connecting to each other, does my ip need to be part of the pool? 08:54 <@Bheam> ie. should we have the same ip pool for vpn clients? 08:54 <@Bheam> or does each vpn connection need it's own private ips? 08:55 <@Bheam> i'm probably confused and confusing :p 08:59 <@Bheam> why do i need to set a ip pool for connecting clients? i mean they have already set their own ip 08:59 < ecrist> Bheam: you're best off having one VPN hub and be part of the same pool. 08:59 < ecrist> with ccds, you can set static IPs. 09:00 <@Bheam> i mean why does the vpn have to manage ips at all? isn't that up to each of the networks by itself? 09:00 <@Bheam> especially when i'm setting bridge mode 09:00 < ecrist> it doesn't *have* to. It can. 09:00 <@Bheam> o. 09:00 <@Bheam> what's 'ccds' 09:00 < ecrist> in bridging, it's all one network. 09:00 < ecrist> !howto 09:00 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:01 <@Bheam> it sounded like i had to reserver extra ips for every vpn connection 09:01 <@Bheam> reserve* 09:04 < krzee> !ccd 09:04 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 09:05 < krzee> hey ecrist i had that part of the wiki named route push route and iroute for google 09:05 < krzee> to get it a better index cause its helpful 09:06 < ecrist> krzee: put that at the head of the file,in a meta or something. 09:06 < ecrist> it was a really ugly URL. 09:06 < krzee> !route 09:06 < vpnHelper> krzee: Error: "route" is not a valid command. 09:06 < krzee> !iroute 09:06 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 09:06 < ecrist> I've not had problems with google indexing pages on the wiki yet, with sensible urls. 09:06 < krzee> bleh what command did i make that 09:08 < krzee> !lans 09:08 < vpnHelper> krzee: "lans" is https://www.secure-computing.net/wiki/index.php/Multiple_Lans-route-push_route-iroute 09:08 < krzee> !forget lans 09:08 < vpnHelper> krzee: The operation succeeded. 09:08 <@Bheam> can i be both a server and a client? 09:08 < ecrist> krzee: that URL will still work, I did a wiki move. 09:08 < krzee> oh 09:08 < ecrist> if you click on it, you will see (Redirected from Multiple Lans-route-push route-iroute) 09:10 < krzee> hey nice 09:10 < krzee> !learn freebsd as https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:10 < vpnHelper> krzee: The operation succeeded. 09:11 < krzee> !howto 09:11 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:11 -!- Irssi: ##openvpn: Total of 34 nicks [1 ops, 0 halfops, 0 voices, 33 normal] 09:14 < rmull> So I've got a question for you gents. 09:15 < rmull> http://pastebin.ca/raw/1177468 09:15 < rmull> What's going on here? 09:15 < rmull> This is the client log 09:15 < rmull> Server log shows nothing 09:15 < krzee> maybe it cant resolve my.ip.add.ress 09:15 < krzee> lol jk 09:15 < rmull> <_< 09:15 < krzee> verb 6? 09:15 < rmull> Lol 09:15 < rmull> Yeah 09:15 < rmull> You want more? 09:15 < krzee> 6 is fine 09:16 < krzee> let us get the whole log and server too 09:16 < rmull> Okay, let me do some collecting. 09:17 < rmull> It's basically the stock sample confs. 09:20 < rmull> server.conf: http://pastebin.ca/raw/1177479 09:20 < krzee> nah meant server logs 09:21 <@Bheam> if i want to run without certificates, can i just comment out the ca/cert/key/dh lines? 09:21 < krzee> and turn its verb up to 6 09:21 < krzee> Bheam, no 09:21 <@Bheam> i want to get everything up and running before i add certs :p 09:21 < krzee> and why in the world would you wanna do that? 09:22 <@Bheam> just to simplify the process. i got low brain capacity :p 09:22 < krzee> windows? 09:26 < krzee> rmull, from mail archives looks like either a cert issue or firewall issue 09:26 -!- negboy [i=hamid@unaffiliated/negboy] has joined ##openvpn 09:27 -!- mode/##openvpn [+o negboy] by ChanServ 09:27 < ecrist> ? 09:27 < ecrist> what's up negboy? 09:28 < rmull> krzee: iptables on the vpn server has been turned off for testing, external firewall is a cisco router with 1194/UDP open and identically configured as an existing, working openvpn install 09:28 < rmull> server log: http://pastebin.ca/raw/1177491 09:28 < rmull> krzee: Checking mailing list 09:28 <@negboy> ecrist: hi, i wanna connect with my connection , i was windows user but now im linux user . how do i connect to my connection ? 09:28 < ecrist> what? 09:30 <@negboy> ecrist: openvpn connction.opvn 09:30 <@negboy> ecrist: next what ? 09:30 < Optic> hi 09:30 <@Bheam> docs say: The addresses used for local and remote should not be part of the bridged subnet -- otherwise you will end up with a routing loop. but have no mention of the term 'remote' in that section, clues? 09:30 <@negboy> ecrist: why im op !? 09:30 <@Bheam> i was wondering that too :p 09:30 < Optic> op! 09:31 < rmull> :bow: 09:31 < Optic> hi rmull 09:31 < rmull> Salut, optic 09:31 <@Bheam> chanserv has eaten some buffer overflow i think 09:32 -!- hamid [i=hamid@unaffiliated/negboy] has joined ##openvpn 09:32 -!- hamid [i=hamid@unaffiliated/negboy] has left ##openvpn [] 09:33 <@negboy> im op ! 09:33 <@negboy> why ? 09:33 <@negboy> haha ! irc has broken :P 09:33 -!- mode/##openvpn [-o negboy] by negboy 09:34 < negboy> ecrist: don't you wanna help me ? 09:35 <@Bheam> bbl 09:35 < ecrist> negboy, have some patience, I'm a bit busy as I'm at work. 09:35 < ecrist> you need to also be more specific about what you need. 09:35 < ecrist> what do you have set up, what have you been trying, etc. 09:36 -!- rgsteele||work [n=rgsteele@75.147.74.137] has joined ##openvpn 09:36 < krzee> lol 09:36 < krzee> chanserv likes you Bheam 09:37 -!- mode/##openvpn [+o rgsteele||work] by ChanServ 09:38 < ecrist> my test isn't nearly as exciting as I hoped it would be, cpm. ;) 09:39 <@rgsteele||work> What, opping the next guy who joined the channel? :) 09:39 <@rgsteele||work> Sorry to disappoint ;) 09:39 < negboy> ecrist: so, take it easy. i like the RTFM :) 09:40 < rmull> krzee: Looks like it's a firewall issue - I can connect to the server across the LAN. 09:40 < rmull> hinteresting. 09:40 < krzee> try tcp just for testing 09:40 < krzee> easy to test tcp with telnet 09:42 < krzee> dude efnet is so hacked 09:44 < negboy> for openvpn in linux i should set firefox with it ? 09:46 < cpm> Intrusive firefox settings will vpn access wilting joy not gathered in storms. 09:47 < rmull> lol cpm 09:47 < cpm> Alas, the day. 09:48 <@rgsteele||work> Hey guys - I've got a Windows box that, when the link to the openvpn server drops out for whatever reason, won't reconnect unless manually restarted. It's got the ping-restart option specified, and I've also set persist-tun and persist-key, but it doesn't seem to help: http://pastie.org/254955 09:48 <@rgsteele||work> All the Linux boxes works just fine, and since reconnecting is the client's job, I'm pretty sure it's something local to that machine. Windows firewall is probably not the issue, since manually restarting works. 09:49 < krzee> it reads your cert files!? 09:49 < krzee> i thought windows had to be // 09:49 < cpm> so, it does work, the vpn comes up, connections, and functions correctly for a while, then drops and will not reconnect? 09:49 <@rgsteele||work> It's running in a cygwin environment. 09:49 * cpm runs away 09:50 * krzee follows cpm 09:50 <@rgsteele||work> Well, our ISP sucks and occasionally the link dies out, and when that happens, the Windows box attempts to reconnect to the VPN server at the colo but fails. 09:50 < cpm> I'm a pretty big fan of cygwin. But since the windows openvpn implementations are really quite good, I'd stick with them. 09:50 < krzee> im a pretty big fan of never using windows ;] 09:50 < cpm> well, there is that. 09:51 < krzee> lol 09:51 <@rgsteele||work> It's the only Windows box in the company. 09:51 < cpm> but 'when in hell', 09:51 < krzee> bahaha 09:51 <@rgsteele||work> But, I gotta make it work :) 09:51 < cpm> drop the cygwin openvpn implementation. Go with the windows native 09:51 < cpm> just a thought 09:51 < krzee> !learn windows as im a pretty big fan of never using windows ;] well, there is that. but 'when in hell', 09:51 < vpnHelper> krzee: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 09:52 < krzee> !learn windows as im a pretty big fan of never using windows well, there is that. but 'when in hell', 09:52 < vpnHelper> krzee: The operation succeeded. 09:52 < krzee> had to 09:52 <@rgsteele||work> Actually, just looking at it, it looks like it is the Windows native version. 09:53 <@rgsteele||work> Even though cygwin is on the box. 09:53 < krzee> !windows 09:53 < vpnHelper> krzee: "windows" is im a pretty big fan of never using windows well, there is that. but 'when in hell', 09:53 <@rgsteele||work> ...yeah, no openvpn in the ps output 09:53 < kala> rgsteele||work: do you have log file ? 09:53 <@rgsteele||work> Yep, it's in the paste: http://pastie.org/254955 09:54 < kala> process restarting and thats it? 09:54 <@rgsteele||work> It loops over and over on that until it's manually restarted. 09:54 < kala> umm 09:54 < kala> I think I saw something like that 09:55 < kala> my config doesn't use persist-tun 09:55 <@rgsteele||work> I've tried it without that too. 09:56 < krzee> !sample 09:56 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:56 < krzee> i dont have ping-restart in client 09:56 < krzee> but i have keepalive 10 120 in server 09:56 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 09:57 < krzee> also 09:57 < krzee> for debugging you need to put verb 6 09:58 < cpm> do not verb nouns! 09:58 <@rgsteele||work> krzee: The manpage says that's for server mode. 09:58 <@rgsteele||work> Can that directive be used on the client side? 09:59 -!- negboy [i=hamid@unaffiliated/negboy] has left ##openvpn [] 09:59 <@rgsteele||work> And, it's it just equivalent to the ping and ping-restart options? 09:59 <@rgsteele||work> Theoretically, they should both be different means to the same end. 09:59 < krzee> rgsteele||work, if the manpage says its for server, whyd you put it in client? 10:00 <@rgsteele||work> The manpage says ping-restart can be used on the client. 10:00 < krzee> oh 10:00 < krzee> ok well put verb 6 if you want useful output in your logs 10:01 <@rgsteele||work> Alright, I'll give it a shot. 10:06 -!- mode/##openvpn [-o rgsteele||work] by ChanServ 10:07 -!- Irssi: ##openvpn: Total of 34 nicks [1 ops, 0 halfops, 0 voices, 33 normal] 10:07 -!- mode/##openvpn [-o Bheam] by ChanServ 10:38 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 10:56 < rmull> krzee: Rofl, boss told me to use an IP that we don't own for the VPN server <_< 10:56 < rmull> That's why it wasn't working. 10:56 < rmull> Solved! 10:56 < rmull> :P 10:56 < ecrist> lol 10:58 < rmull> So the websites tell me that to flush my dns cache i restart the nscd service, but I don't run the nscd services. 10:58 < rmull> Can I still clear my DNS cache? 11:00 < ecrist> rmull: on what OS? 11:00 < ecrist> dns cache is OS dependent. 11:01 < krzee> bahaha 11:01 < krzee> if windows ipconfig/flushdns 11:03 < rmull> krzee: That's what I'm trying to duplicate on Linux. 11:04 < krzee> ps auxw|grep nscd 11:04 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 11:06 < krzee> and if theres no nscd service, your box isnt cacheing dns 11:06 < krzee> but your NS might be 11:06 < rmull> krzee: Ahh, that's probably what it is. 11:26 < Bheam> generic bridging question; when i have computer A (router) B (bridge) C (windows desktop) and D (computer on other side of bridge), what do i have to do to make ping from C -> D work ? 11:26 < Bheam> A being default gateway (it doesn't know about D) 11:28 < rmull> !windows 11:29 < vpnHelper> rmull: "windows" is im a pretty big fan of never using windows well, there is that. but 'when in hell', 11:29 < krzee> lol 11:29 < rmull> krzee: Can anyone issue !learn commands, or just you? 11:29 < krzee> all 11:30 < krzee> unless it becomes a problem 11:30 < rmull> Gotcha 11:30 < krzee> !forget windows 11:30 < vpnHelper> krzee: The operation succeeded. 11:30 < krzee> Bheam, could help you if it wasnt a bridge 11:30 < krzee> with tun, i made a writeup on that 11:30 < krzee> !bridge 11:30 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where (1 more message) 11:31 < krzee> !more 11:31 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 11:31 < rmull> krzee: I read your writeup 11:31 < krzee> rmull, its !learn as 11:31 < krzee> rmull, did it make sense to ya? 11:31 < rmull> Mostly. Just wanted to simplify things though 11:32 < krzee> !lans 11:32 < vpnHelper> krzee: Error: "lans" is not a valid command. 11:32 < krzee> bleh 11:32 < krzee> !wiki 11:32 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 11:32 < rmull> So in your writeup your scenario is a small pool of clients that want to push routes to their LANs to the rest of the VPN 11:32 < krzee> !learn lans as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:32 < vpnHelper> krzee: The operation succeeded. 11:32 < krzee> !learn routeing as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:32 < vpnHelper> krzee: The operation succeeded. 11:33 < rmull> And you're using ccd to do this because you "know" the routes to those client lans ahead of time 11:33 < krzee> in my writeup, there is a lan behind the server, and behind the clients 11:33 < rmull> Right. Say you only care about making the server's lan accessible to the clients 11:33 < krzee> and all lans should communicate with eachother 11:33 < rmull> You'd need to push the route to the clients 11:33 < rmull> But is that enough? 11:33 < krzee> right, but then client lans cannot talk to server 11:34 < rmull> Okay. Which directive would be necessary then? A route from the VPN subnet to the server LAN's subnet? 11:34 < krzee> and server lan gateway needs to know about the route to vpn 11:34 < rmull> I mean, no wait 11:34 < rmull> I don't want to publish the client lans 11:34 < rmull> Just the server lan. 11:34 < krzee> shit i should add something bout that 11:35 < rmull> If I don't control the gateway's routing table, is allowing access to the server's subnet impossible? 11:35 < krzee> forgot to mention this assumes openvpn is on the default router for each lan 11:35 < krzee> yes and no 11:35 < krzee> you can manually add the route to each machine on the lan 11:35 < krzee> see the thing is this: 11:35 < krzee> lan machine gets a packet from vpn server who is on its lan 11:36 < krzee> packet came from client 11:36 < krzee> (vpn client) 11:36 < rmull> ohhh 11:36 < krzee> so it has vpn ip 11:36 < krzee> ? 11:36 < krzee> oops 11:36 < rmull> Yeah, that makes sense 11:36 < krzee> but how does it respond to vpn ip? 11:36 < krzee> if it dont have a route, it sends to default gateway 11:36 < krzee> if default gateway is vpn machine, all is well 11:37 < krzee> if not, it should have a route saying vpn network goes to vpn machine 11:37 < krzee> otherwise, no connection 11:37 < rmull> I guess I was just assuming that openvpn would "rewrite" or "spoof" the source IPs on the VPN packets or something. 11:37 < krzee> NAT 11:38 < krzee> no ovpn leaves NAT to the OS 11:38 < krzee> !nat 11:38 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 11:38 < rmull> Sick, thanks 11:38 < krzee> np 11:39 < rmull> I don't know why I'm asking -- I have to set up ethernet bridging, but I'd much rather run routed tunnel 11:40 < krzee> samba? 11:40 < rmull> Yeah 11:40 < rmull> Well, not technically samba 11:40 < krzee> gotchya 11:40 < rmull> Basically all the servers and clients on this network are windows 11:41 < rmull> So everyone merrily uses netbios names and windows shares 11:41 < krzee> maybe after you get your bridge perfect you could make a writeup on that 11:41 < krzee> im only good with routed 11:41 < rmull> I wouldn't mind, just have to figure it out first. 11:41 < krzee> lol, yup 11:41 < krzee> step 1, figure it out 11:41 < krzee> step 2, write up 11:41 < krzee> step 3, ??? 11:41 < krzee> step 4, profit! 11:42 < krzee> oh god, tequilla hangover + cigarette = gag 11:43 < rmull> Busy Sunday night for ya? 11:43 < rmull> :D 11:43 < krzee> 2 for 1 everything at my fav bar 11:44 < krzee> for guys 11:44 < krzee> its mans night 11:44 < krzee> ladys night is sat, they get free drinks all night 11:44 < rmull> Man's Night? What is this, Germany? 11:44 < krzee> caribbean 11:44 < rmull> ahh 11:45 < krzee> they gave girls a night, but all us owners friends are men 11:45 < krzee> so we needed a night too 11:45 < krzee> lol 11:45 < ecrist> rmull: a properly setup WINS server and DHCP will allow it to work across subnets. 11:46 < krzee> that is tru 11:46 < rmull> ecrist: That's a probable long-term solution- I'm heading back to school at the end of this week, so I don't have ttime to replace all the windows trash on this net 11:47 < krzee> PITA, but tru 11:47 < krzee> ild prolly set it up as a bridge too tho 11:47 < krzee> just to not admin a wins server 11:47 < rmull> I have to get a semi-working openvpn in place, and a bacula network bacup system in place before the end of the week 11:49 < krzee> if i was you ild make sure i guard against arp poisoning when connecting all your networks 11:50 < krzee> 1 comprimised host in 1 lan would = all lans owned 11:50 < krzee> when connecting with bridge 11:50 < rmull> I thought arp-poisoning was a thing of the past, bleh 11:51 * rmull googs 11:51 < krzee> of the past!? 11:51 < krzee> noway! 11:51 < krzee> its the best coffee shop entertainment around 11:51 < krzee> well i guess that and cookie-theft 11:51 < rmull> Could have sworn that modern routers dealt with it invisibly 11:52 < krzee> some 11:52 < krzee> not many ive encountered in the wild 11:53 < rmull> bah. 11:53 < rmull> damn internets 11:53 < rmull> always getting me down 11:53 < rmull> Eventually we'd be fairly VLAN'd out 11:55 < rmull> Okay, gotta get back to my friend Bacula now. 11:55 -!- rmull is now known as rmull_ 11:57 -!- mode/##openvpn [+o krzee] by ChanServ 11:57 -!- mode/##openvpn [-o krzee] by krzee 11:57 < krzee> coo 12:04 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:11 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kraut 12:17 < Bheam> i have a problem :/ 12:17 < Bheam> how do i route traffic to a bridge? :p 12:18 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has joined ##openvpn 12:18 < Bheam> my default gateway is of course my internet connection 12:18 < Bheam> but i have a bridge running on another computer 12:18 < Bheam> does traffic even need to be routed to a bridge or is a bridge listening to all ips? 12:20 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has quit [Client Quit] 12:21 < Bheam> and after i created the bridge, tcpdump won't stop by ctrl+c i have to kill it 12:29 -!- gallatin [n=gallatin@dslb-092-072-075-052.pools.arcor-ip.net] has joined ##OpenVPN 12:32 < ecrist> Bheam: you don't/can't route a bridge 12:33 < ecrist> you need to have ip forwarding enabled on your interfaces/kernel, though. 12:33 < ecrist> on freebsd, it's sysctl net.ip.forwarding, iirc 12:51 < prattfall> since routing v. bridging seems to be popular today - anyone know if bridging is necessary for SIP? 12:51 < prattfall> i'm routing now, but my SIP traffic is getting dumped, and it looks like itshappening at my local openvpn endpoint 12:52 < prattfall> nothing else appears to be affected 12:54 < prattfall> or am i just failing at firewalls? basically, my SIP server lives at 10.80.0.1, as does my openvpn server 12:55 < prattfall> on my client side, there's a Linksys running Freewrt that connects to the openvpn server and i'm using route/iroute to send traffic between 10.80 and the client lan at 10.60.0.0/24 12:56 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 12:56 < prattfall> when the vpn client comes up, it runs a script that says 12:56 < prattfall> iptables -A INPUT -i tun+ -j ACCEPT 12:56 < prattfall> iptables -A FORWARD -i tun+ -j ACCEPT 12:56 < prattfall> iptables -A FORWARD -i br0 -o tun+ -j ACCEPT 12:56 < prattfall> iptables -A FORWARD -i tun+ -o br0 -j ACCEPT 12:56 < prattfall> everything but SIP seems happy with that config 12:57 < krzee> no bridge needed for sip 12:57 < krzee> think of it this way 12:57 < krzee> if it can go over the inet, no need for bridge 12:57 < krzee> if it is lan only, bridge time! 12:58 < prattfall> yeah, that was my thought. SIP is notoriously pissy, but its because of NAT which doesn't apply here 12:59 < krzee> are you using nat traversal? 12:59 < krzee> STUN 12:59 < prattfall> no 12:59 < krzee> use STUN! 12:59 < prattfall> not on this side of the firewall anyway 12:59 < krzee> ohhhh i see 13:00 < prattfall> why would i need stun if i[m not going through a nat? 13:00 < krzee> sip is only going over vpn ips 13:00 < prattfall> right 13:00 < krzee> you are vpn'ed to the phone server 13:00 < krzee> secure comms 13:00 < prattfall> well, my linksys is 13:00 < krzee> nice man 13:00 < prattfall> eyah, till them men in black hijack my linksys :) 13:00 < prattfall> WPA2 FTL 13:00 < krzee> and your linksys gives your computer nat? 13:00 < prattfall> no 13:01 < prattfall> its my openvpn endpoint at theclient location 13:01 < krzee> right 13:01 < prattfall> so it connects clients on 10.60 via openvpn to the server at .80 13:01 < krzee> but its not running voip software... 13:01 < krzee> so what runs the voip? 13:01 < prattfall> ht elinksys? no 13:01 < krzee> an ATA behind the linksys? 13:01 < prattfall> god, i suck at typing today 13:02 < Optic> hi 13:02 -!- rgsteele||work [n=rgsteele@75.147.74.137] has quit [Remote closed the connection] 13:02 < prattfall> there's a SIP softclient (zoiper) on 10.60 13:02 < prattfall> trying to talk to the SIP server on 10.80 13:02 < prattfall> the linksys handles VPN connection from 10.60 to 10.80 13:02 < krzee> i dont get your ip notation 13:02 < krzee> 10.60.x.x 13:03 < krzee> or 192.168.10.60 13:03 < prattfall> right 13:03 < krzee> ok 13:03 < prattfall> no, 19.60.x.x 13:03 < prattfall> 10 13:03 < krzee> so vpn is 10.80.x.x 13:03 < prattfall> yes 13:03 < krzee> and lan is 10.60.x.x 13:03 < prattfall> yeah 13:03 < krzee> linksys gives out 10.60.x.x ips 13:03 < prattfall> correct 13:03 < krzee> that is called NAT 13:03 < krzee> use stun 13:04 < prattfall> buh? 13:04 < krzee> :-p 13:04 < prattfall> but the server at 10.80.0.1 can ping my 10.60 hosts 13:05 < krzee> right 13:05 < ecrist> foo 13:05 < prattfall> i used iroute on the openvpn server to send stuff back to 10.60 13:05 < krzee> your linksys is doing nat right 13:05 < krzee> and your vpn is right 13:05 < krzee> setup a stun server for internal vpn ip usage 13:05 < krzee> on your voip box 13:06 < krzee> and life will be good 13:06 < prattfall> ok... i'm gonna need to do STUN eventually when I open SIP up to the public tubes... 13:06 < prattfall> but i'm confused where NAT comes into play 13:07 < prattfall> i thought with iroute i was just routing between the 2 subnets 13:08 < prattfall> like my hosts on 10.60.x.x and 10.80.x.x can talk back and forth over their regular IPs 13:16 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has joined ##openvpn 13:17 < mooseman447> hey 13:18 < mooseman447> why would i get a lot of waiting for tun/tap interface to come up in the client log when i know the vpn server works 13:18 < krzee> ok nat comes in to play with voip 13:18 < krzee> NOT with your vpn 13:18 < krzee> your vpn is fine prattfall 13:19 -!- mode/##openvpn [+o mooseman447] by ChanServ 13:19 < prattfall> ok 13:19 < krzee> lookup STUN 13:19 < krzee> it is NAT traversal 13:19 < krzee> for VOIP 13:19 < prattfall> but it sounds like you're saying there's a NAT between my 2 subnets 13:19 < krzee> dude, your linksys is a nat-box 13:19 < krzee> it does nat! 13:19 < krzee> your vpn doesnt mind at all 13:20 < krzee> but your SIP does! 13:20 <@mooseman447> if im on a wifi that uses the same ip subnet as my vpn servers network is that a problem? 13:20 < krzee> yes 13:20 < ecrist> mooseman447: yes 13:20 < ecrist> very much so 13:20 < krzee> big problem 13:20 < prattfall> my linksys does NAT out to the internet, but it should just be routing VPN traffic across the VPN 13:20 < krzee> like, not gunna work style 13:20 <@mooseman447> ok would could i do to remedy it 13:21 < krzee> change one of the LANs 13:21 < ecrist> mooseman447: change your VPN subnet 13:21 < ecrist> most LANs use 192.168.x or 10.x 13:21 < ecrist> try to use 172.30.x for your vpn 13:21 < krzee> hes saying both sides of the LAN use same subnet 13:21 <@mooseman447> my vpn is bridging mode though so i wouldnt i need to change my entire network? 13:21 < krzee> personally to avoid that stuff ild go to 10.99.x.x or somethin 13:22 < krzee> or 10.20.30.x 13:22 < ecrist> krzee: no, stay out of 10.x 13:22 <@mooseman447> yea my home uses 192.168.1.x and apparently this wifi im using is 192.168.1.x also 13:22 < krzee> ecrist, i just stay out of common 10.x 13:22 < krzee> its easier to remember 13:22 < ecrist> 10.x is a class A subnet. 13:22 < ecrist> often used as such. 13:22 < ecrist> correctly or not. 13:23 < krzee> i can never remember the 172 1918 ips 13:23 < krzee> i can remember the RFC but not the 172 ips 13:23 < krzee> haha 13:23 < ecrist> mooseman447: you could change your home LAN to 192.168.37.x, to avoid such problems. 13:23 < krzee> yup 13:23 < ecrist> krzee: 172.x/8 is 1918 13:23 < krzee> ahh 13:24 < krzee> err no 13:24 < krzee> 172.16.0.0/12 13:24 < ecrist> !learn 1918 as http://www.faqs.org/rfcs/rfc1918.html 13:24 < vpnHelper> ecrist: The operation succeeded. 13:24 <@mooseman447> hmm that would be pretty annoying because im very used to my current setup... 13:24 < ecrist> oh, yeah 13:24 < ecrist> mooseman447: annoying how? 13:24 < ecrist> setup local DNS and IPs don't matter. 13:24 < ecrist> :\ 13:25 < krzee> !learn 1918 as http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html 13:25 < vpnHelper> krzee: The operation succeeded. 13:25 < krzee> !forget 1918 1 13:25 < vpnHelper> krzee: The operation succeeded. 13:25 < krzee> !1918 13:25 < vpnHelper> krzee: "1918" is http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html 13:25 <@mooseman447> hmm i guess thats true 13:25 < ecrist> you're foolish if you're going to dwell on IP assignments. 13:25 < krzee> [14:20] my linksys does NAT out to the internet, but it should just be routing VPN traffic across the VPN 13:26 < krzee> you need stun for your voip 13:26 < krzee> you are not having a vpn problem 13:26 < krzee> argue about it in a voip channel =] 13:26 < prattfall> i'm not arguing, i'm trying to understand why i'd need nat traversal on a network with no nat 13:26 < krzee> dude 13:26 < krzee> do you have a problem with your vpn? 13:27 -!- mode/##openvpn [+o prattfall] by ChanServ 13:27 < krzee> or just with your voip? 13:27 <@prattfall> i think there's a problem where traffic that's supposed to hit the vpn isn't 13:27 < krzee> its only 1 protocol not working? 13:27 <@prattfall> agreed, the only thing that seems to be affected is voip 13:27 < ecrist> prattfall: what do your routing tables lookl ike? 13:28 < krzee> ecrist, its only SIP that is not working 13:28 < ecrist> oh 13:28 < krzee> i used to 1/2 run a voip company 13:28 < ecrist> what's the symptom? 13:28 < krzee> and he needs stun 13:28 < ecrist> krzee: come figure out my SIP problems, then. 13:28 < krzee> you need stun too! 13:28 < krzee> stun for all!!! 13:28 < krzee> lol 13:29 * prattfall is stunned 13:29 < krzee> bahaha 13:29 < krzee> nice one 13:29 < ecrist> naw, I've got a Polycom phone that, after firmware update to 3.0, wo'nt connect to our SIP provider. 13:29 < krzee> ouch 13:29 < ecrist> but 7 other phones work fine. 13:29 < krzee> tried reloading the firmware again? 13:29 < ecrist> can't 13:30 < ecrist> I enter config, try to give it an FTP server address, and it ignores it. 13:30 < ecrist> as if it weren't there. 13:30 < ecrist> :\ 13:31 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:31 < krzee> weaksauce 13:31 < krzee> tried sniffing to see whats going on? 13:32 < krzee> like is it even trying for the config / sip provider? 13:32 < ecrist> no 13:32 < ecrist> well, yes 13:32 < krzee> thats a good place to start 13:32 < krzee> get all sniffy 13:32 < ecrist> the phone keeps asking for BOOTP, but ignores responses. 13:32 < ecrist> I tried providing DHCP option 66, but didn't do any good. 13:34 < krzee> hrmz 13:34 < krzee> that sucks man 13:34 < krzee> ild hafta play with it to have a clu 13:34 < krzee> sounds like a brick but i wouldnt give up on it 13:35 < ecrist> waiting for a response back from our SIP provider. 13:35 < ecrist> it's still under warranty, so I'm not sweating it. 13:35 < krzee> oh sweet 13:35 < krzee> who you guys use for sip? 13:35 < ecrist> ironvoice 13:35 < ecrist> formerly heavylogic 13:35 < krzee> sounds beefy 13:35 < krzee> IRONVOICE 13:36 < krzee> like you hafta say it in a deep voice 13:36 < rmull_> Heavylogic? Ironvoice?? 13:36 < rmull_> BEEFCAKE 13:36 < krzee> lol 13:36 * ecrist starts an SIP provider call 'Cheesy Poofs' 13:36 -!- mode/##openvpn [+o rmull_] by ChanServ 13:36 < krzee> ecrist, dude, thats actually a good idea 13:36 < krzee> except you'll never get the domain 13:37 < krzee> nevaaaahhhhhhhh 13:38 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:38 < ecrist> yeah, prolly. 13:39 < ecrist> well, I've gotta bail, head down to our data center. 13:39 < ecrist> heya, ompaul 13:39 -!- mode/##openvpn [-o rmull_] by ChanServ 13:39 -!- mode/##openvpn [-o mooseman447] by ChanServ 13:39 -!- mode/##openvpn [-o prattfall] by ChanServ 13:41 < ompaul> ecrist, evening 13:41 < Bheam> grrrr 13:41 < Bheam> i can't figure out how to make a client-client over bridge setup :( 13:44 < ecrist> Bheam: someone's gotta be a server. 13:50 -!- mooseman447 [n=mooseman@207-172-54-23.c3-0.tlg-ubr5.atw-tlg.pa.cable.rcn.com] has quit [Read error: 110 (Connection timed out)] 13:51 < Bheam> yes but how can i setup bridge for the client? 13:51 < Bheam> as the bridge directive is server-bridge 13:52 < Bheam> and it doesn't go with the client directive 14:10 -!- gallatin [n=gallatin@dslb-092-072-075-052.pools.arcor-ip.net] has quit [Remote closed the connection] 14:25 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit ["leaving"] 14:25 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 14:27 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 14:38 -!- Axet [n=john@glou.nurvnet.org] has quit [Read error: 104 (Connection reset by peer)] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:00 < rmull_> lol chanserv 15:08 -!- bandini [n=bandini@host173-110-dynamic.31-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:10 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has quit ["leaving"] 15:40 -!- mooseman447 [n=mooseman@24.115.241.137.res-cmts.sm.ptd.net] has joined ##openvpn 15:43 -!- mooseman447 [n=mooseman@24.115.241.137.res-cmts.sm.ptd.net] has quit [Client Quit] 16:30 < Bheam> right 16:30 < Bheam> i got it working with the minimal commandline example now 16:30 < Bheam> now.. is there any way to add certs without having a server/client configuration? 16:30 < Bheam> or any kind of encryption 16:54 < Bheam> and i'm having trouble coexisting with the bridged network :( 17:15 -!- krzy [i=krzee@unaffiliated/krzee] has joined ##openvpn 17:21 < rmull_> plaerzen: You there? 17:44 < krzy> !learn router as is you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 17:44 < vpnHelper> krzy: The operation succeeded. 17:44 < krzy> !forget router 17:44 < vpnHelper> krzy: The operation succeeded. 17:44 < krzy> !learn router as if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 17:44 < vpnHelper> krzy: The operation succeeded. 17:48 -!- onre [i=esp@static.fi] has joined ##openvpn 18:04 < krzy> !learn netman as if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list 18:04 < vpnHelper> krzy: The operation succeeded. 18:09 < Bheam> so i have a bridged vpn working.. but want to add traffic shaping, which interface should traffic shaping run on? eth0? br0? or tap0? 18:14 < krzy> good question 18:14 < krzy> my guess is br0 18:14 < krzy> when you get that figured out i would like to know too 18:21 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 18:32 < Bheam> hm tried something called htb-gen and set eth0 and local and tap0 as remote, but it doesn't seem to intercept any traffic.. i tried br0/br0 also 18:33 < krzy> no idea how that software works 18:34 < krzy> i just use the O'\s firewall for that stuff 18:34 < krzy> err OS's 18:34 < krzy> not really an openvpn question tho tbh 18:35 < krzy> you should prolly ask whoever makes or supports htb-gen 18:42 < krzy> !learn notopenvpn your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:42 < vpnHelper> krzy: Invalid arguments for learn. 18:42 < Bheam> well my problems might be bridge/vpn related 18:42 < krzy> !learn notopenvpn as your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:42 < vpnHelper> krzy: The operation succeeded. 18:42 < krzy> no, you are wondering if while using htb-gen on a bridge, which interfaces to choose as remote and local 18:43 < Bheam> well i've come down to that it doesn't matter.. i'm not getting any traffic regardless 18:43 < Bheam> so there's a different problem 18:44 < krzy> oh you were trying to setup traffic shaping on your bridge before you got your bridge working? 18:44 < Bheam> no.. 18:44 < Bheam> the traffic shaper is supposed to be marking packets with iptables, but no packets get marked... 18:44 < Bheam> so obviously the common syntax doesn't apply for vpn bridges 18:44 < krzy> is your bridge working? 18:44 < Bheam> yes 18:44 < krzy> ok 18:45 < Bheam> i've tried tcpdump and all 3 bridge interfaces show data 18:45 < krzy> then its no longer a ovpn issue, but ill look on google for ya 18:46 < krzy> your real question is "how do i setup traffic shaping on a bridge?" 18:47 < Bheam> hmm there's something called 'ebtables' 18:47 < Bheam> that is the real question ;) 18:47 < krzy> and i bet asking in a linux channel would get you a fast answer 18:48 < krzy> however, im checking google anyways 18:48 < Bheam> trying thanks :p 18:48 < Bheam> :D 18:48 < krzy> although i only have about 10min left that im here 18:52 < krzy> http://mailman.ds9a.nl/pipermail/lartc/2003q2/008744.html 18:52 < vpnHelper> Title: [LARTC] Shaping traffic over a linux bridge (at mailman.ds9a.nl) 18:52 < krzy> 5th result from google: bridge traffic shaping 18:52 < krzy> looks like what you want 18:59 < krzy> funny too cause the guy posted, then he posted again with more info and a bribe, then he posted again answering his question 18:59 < krzy> he never got help but he did document stuff for you =] 19:53 -!- near [n=near@83-155-190-107.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 20:09 -!- near [n=near@88-122-24-90.rev.libertysurf.net] has joined ##openvpn 21:29 < krzee> !dev 21:29 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 21:29 < vpnHelper> krzee: Error: "dev" is not a valid command. 21:29 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 21:29 < Optic> moo 21:38 -!- near [n=near@88-122-24-90.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@88-122-20-14.rev.libertysurf.net] has joined ##openvpn 21:43 < krzee> werd 22:02 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit [] 23:36 < ecrist> Bheam: did you get everything fixed up? --- Day changed Tue Aug 19 2008 01:25 -!- negboy [i=hamid@unaffiliated/negboy] has joined ##openvpn 01:26 < negboy> hi guys, anybody can help me . 01:28 < negboy> i have this config for windows on openvpn but now i want start openvpn on linux ==> http://freevpn.987mb.com/config.zip 01:29 < negboy> Please tell me, how do i use this connection on linux ? 01:38 < krzee> have you tried? 01:38 < krzee> you shouldnt hafta change much at all 01:39 < krzee> its platform independant 01:39 < krzee> also, unzip and pastebin 01:40 -!- mode/##openvpn [+o negboy] by ChanServ 01:40 <@negboy> ! 01:40 <@negboy> krzee: i unziped it 01:40 -!- mode/##openvpn [-o negboy] by ChanServ 01:40 < negboy> krzee: and cd to it folder 01:41 < krzee> pastebin the config 01:41 < krzee> !pastebin 01:41 < vpnHelper> krzee: "pastebin" is please paste anything with more than 5 lines into pastebin or a similar website 01:41 < krzee> !learn pastebin as ie: www.pastebin.ca 01:41 < vpnHelper> krzee: The operation succeeded. 01:42 < krzee> !pastebin 01:42 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 01:42 < negboy> krzee: ow ! 01:42 < krzee> ? 01:43 < negboy> krzee: http://www.pastebin.ca/1178416 01:45 < krzee> you need tcp for a reason? 01:45 < krzee> !tcp 01:45 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:45 < krzee> that should work 01:45 < krzee> you might want to give it full paths 01:45 < krzee> !path 01:45 < vpnHelper> krzee: Error: "path" is not a valid command. 01:46 < negboy> !paths 01:46 < vpnHelper> negboy: Error: "paths" is not a valid command. 01:46 < krzee> !learn path as always use full paths in your config file, it makes things easier 01:46 < vpnHelper> krzee: The operation succeeded. 01:46 < krzee> !learn paths as always use full paths in your config file, it makes things easier 01:46 < vpnHelper> krzee: The operation succeeded. 01:46 < krzee> you should also consider dropping privledges 01:47 < negboy> krzee: where is the file config of openvpn on debian ? 01:48 < negboy> krzee: how to set openvpn as default for send and recieving from it ? 01:48 < krzee> !nat 01:48 < vpnHelper> krzee: "nat" is http://openvpn.net/howto.html#redirect 01:48 < krzee> i dont know where debian puts anything 01:49 < krzee> you installed from package or source? 01:49 < negboy> krzee: package 01:50 < krzee> /etc/openvpn/ 01:50 < krzee> user nobody 01:50 < krzee> group users 01:50 < krzee> or something like that 01:50 < krzee> some user and group that isnt root/wheel 01:51 < krzee> http://www.annoying.dk/2007/10/14/quick-simple-tutorialhowto-on-openvpn-with-debian/ 01:51 < vpnHelper> Title: Quick simple tutorial/howto on OpenVPN with Debian | www.annoying.dk (at www.annoying.dk) 01:51 < krzee> that has debian specific stuff 01:51 < negboy> krzee: thx. 01:51 < krzee> you dont need to follow the whole thing, just skim it to catch anything debian specific 01:51 < krzee> np 02:04 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: negboy 02:06 -!- Netsplit over, joins: negboy 02:12 < kraut> moin 02:13 -!- negboy [i=hamid@unaffiliated/negboy] has left ##openvpn [] 02:21 < krzee> !kraut 02:21 < vpnHelper> krzee: "kraut" is moin 02:50 -!- gallatin [n=gallatin@dslb-092-072-072-132.pools.arcor-ip.net] has joined ##OpenVPN 03:14 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has joined ##openvpn 03:15 < tcccp> hmmm 03:15 < tcccp> I know I forgot one channel... 03:34 < krzee> hehe 03:34 < krzee> wassssup 03:35 < tcccp> nothing right now 03:35 < tcccp> I'm suffering 03:35 < tcccp> needz sleep 03:35 < krzee> ? 03:35 < krzee> ahh 03:35 < krzee> gnite =] 03:35 < tcccp> hrhr 03:35 < tcccp> 1035am here 03:35 < tcccp> no sleepz for ceiling cat 03:36 < krzee> haha 03:36 * tcccp is watching his rodents having a nap ;) 04:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 04:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:03 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:24 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 05:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:35 < Bheam> oi 05:35 < Bheam> can i talk to a running openvpn and make it output like verb9? 05:35 < kala> via management interface 05:36 < Bheam> i'm trying to copy a file over windows networks, and i'm getting the data in chunks of about 1MB and ping is skyrocketing 05:36 < Bheam> is there any way to monitor udp packet loss? 05:37 < Bheam> and is tcp-queue-limit and/or txqueuelen gonna help me? 05:44 < krzee> !mtu 05:44 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 05:44 < krzee> sorry thats not drected @ you 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:19 < Bheam> is there any way to reduce the amount of 'pathcost' packets? 06:20 < Bheam> also is there any way to view the tunneled data? --verb 9 gives some info, but nothing with regards to what is actually passing through 06:25 < rmull_> Bheam: Tcpdump could probably help in that regard. 06:26 < Bheam> i'm running a bridge 06:28 < Bheam> nm found it 06:28 < Bheam> was on wrong interface :p 06:29 < Bheam> 13:26:56.682026 IP 192.168.0.33.ssdp > 239.255.255.250.ssdp: UDP, length 319 06:29 < Bheam> will this traverse the vpn bridge? 06:29 < Bheam> .33 is my router and it keeps spamming that stuff like 15 times every second 06:42 -!- gallatin [n=gallatin@dslb-092-072-072-132.pools.arcor-ip.net] has quit [Remote closed the connection] 07:08 < Bheam> so i learn it's upnp.. i don't want that over the vpn 07:09 < cpm> iptables 07:15 < Bheam> i don't understand this bridge shit :p what interface do i iptables it on? eth0 - br0 - tap0 ? :p 07:19 < kala> maybe you should build a routed vpn? 07:47 < Bheam> lol no i'm gonna play doom2! 07:48 < ecrist> morning, kids 07:49 < kala> Bheam: you know, there P2P VPN software available? works on L2 level. Very cool... 08:00 < rmull_> ecrist: mornin 08:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 08:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:23 < Bheam> l2 level? 08:23 -!- rmull_ is now known as rmull 08:23 < Bheam> p2p vpn? i do that with openvpn :p 08:23 < ecrist> Bheam: you still having problems? 08:23 < Bheam> well everything works, i'm just on the tweaking phase 08:24 < Bheam> preventing certain traffic from being tunneled 08:25 < Bheam> and i have a problem.. if i stop a packet at the bridge(br0) the box itself won't get it (right?) 08:25 < Bheam> or does bridges also use the FORWARD rule? 08:25 < Bheam> do* 08:26 < ecrist> I wouldn't recommend blocking at the bridge. 08:26 < Bheam> so do i block at tap0 then? 08:26 < ecrist> either blockon the physical interface, or block on the tap device 08:27 < Bheam> but the physical interface doesn't have an ip anymore, can i still use iptables on it? 08:28 < ecrist> I'm not familiar with iptables. 08:28 < ecrist> more firewall softwares I've worked with don't need an IP on the interface to filter traffic, though. 08:28 < cpm> it's a linux specific kludge. And no, they don't need IP. Just the interface. 08:29 < Bheam> ok probably doesn' then 08:29 < Bheam> but again, i can't block it on the physical since i want the box to receive it 08:29 < Bheam> so tap0 it is 08:32 < Bheam> arg 08:32 < Bheam> iptables -A FORWARD -p udp -o tap0 --dport ssdp -j DROP 08:33 < Bheam> does nothing at all 09:01 -!- near [n=near@88-122-20-14.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 09:02 -!- near [n=near@83-155-187-61.rev.libertysurf.net] has joined ##openvpn 09:04 -!- Irssi: ##openvpn: Total of 32 nicks [0 ops, 0 halfops, 0 voices, 32 normal] 09:16 < rmull> !nat 09:17 < vpnHelper> rmull: "nat" is http://openvpn.net/howto.html#redirect 09:17 < rmull> thanks vpnHelper 09:42 -!- Pici [n=Pici@ubuntu/member/pici] has joined ##openvpn 09:42 -!- Pici [n=Pici@ubuntu/member/pici] has left ##openvpn [] 09:45 -!- pred2k5 [n=Torsten@dslb-088-069-199-156.pools.arcor-ip.net] has joined ##openvpn 09:45 < pred2k5> hi 09:46 < ecrist> howdy 09:46 < pred2k5> I push redirect-gateway for every client, how to skip this, without creating a client-config-file, where I have to put in every route per hand? 09:46 -!- pornizzle [n=pornizzl@yamuk.erdem-online.net] has joined ##openvpn 09:46 < ecrist> push the routes in your main server config. 09:48 * cpm pushes ecrist 09:48 < cpm> hey, sorry. 09:49 < pornizzle> hi guys, i always get a p-t-p connection ... but i use tun with ifconfig 09:49 < pornizzle> http://pastebin.com/d44c42e6 09:50 < pornizzle> here my config 09:50 < pornizzle> http://pastebin.com/d79686149 09:50 < pred2k5> ecrist I do 09:50 < pred2k5> I meant I push redirect-gateway in the main server conf :D 09:53 < pred2k5> do I get routes pushed by iroute, when I use client config dir? 09:55 * pornizzle slaps ecrist around a bit with a large trout 09:55 * pornizzle slaps cpm around a bit with a large trout 09:55 < pornizzle> hi :) 09:56 < cpm> no fish-slapping allowed 09:56 < pornizzle> :o 09:56 < cpm> python_violation=1 09:58 * ecrist slaps pornizzle around a bit with a large penis. 09:59 < cpm> onoes! 09:59 < ecrist> pred2k5: what're you trying to do? 09:59 < cpm> penis_violation=1 09:59 < pornizzle> oO 09:59 < ecrist> the question is, who got violated? /me thinks pornizzle. 10:00 < ecrist> ok, I'm sorry. I'm done now. 10:01 < pornizzle> pff 10:05 < pred2k5> I just want one client not to redirect-gateway 10:07 < ecrist> why only one? 10:10 < pred2k5> cause its "the" one 10:10 < pred2k5> the chosen one 10:13 < ecrist> don't think you can do what you want, save having ccs for each client you *want* redirect-gateway 10:15 < pred2k5> yes, thats what I wanted to avoid 10:16 < ecrist> well, for super-special dude, give them their own instance of openvpn, say, another port, that doesn't push that option. 10:18 -!- pornizzle [n=pornizzl@yamuk.erdem-online.net] has quit [] 10:30 < rmull> Man, ethernet bridging and me don't get along. 10:30 * rmull is insufficient 10:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:47 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has joined ##openvpn 10:48 < mooseman447> hey would using redirect-gateway def1 on the client allow me to use a vpn even though the servers subnet and the client one are the same? 10:51 < ecrist> no 10:51 < ecrist> that's a broken setup, fix it. 10:51 < mooseman447> darn ok 11:30 -!- mooseman447 [n=mooseman@24.229.203.37.res-cmts.sm.ptd.net] has quit ["Leaving"] 12:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 54 (Connection reset by peer)] 12:12 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 12:12 -!- pred2k5 [n=Torsten@dslb-088-069-199-156.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 12:37 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 12:42 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:49 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:18 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has joined ##openvpn 13:19 < sega01> is openvpn's 2.5 beta branch maintained with the patches that go into 2.1? 13:21 < ecrist> depends. 13:22 < ecrist> something specific you're after? 13:27 < sega01> i'm just wondering if 2.5 is an old version with the udp6 patch or if it has been maintained 13:30 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 13:33 < ecrist> you'd have to talk to a developer or look to the source tree. 13:33 < ecrist> iirc, you can see it in svn. 13:37 < ecrist> Chuck Norris has two speeds, walk and kill. 13:37 < rmull> -_- 13:49 < cpm> Chuck Norris's tears can cure cancer 13:49 < cpm> Chuck Norris never cries 13:58 < ecrist> Chuck Norris doesn't take showers, he takes blood baths. 14:02 < rmull> Hey, I've got a question 14:02 < rmull> So you know how you can set openvpn to try a list of vpn servers in order in the client.conf 14:03 < rmull> And if it fails to connect to the first one it tries the second one? 14:04 < ecrist> yep 14:08 < rmull> What if one server is TCP and one is UDP? 14:08 < rmull> Can I still use a single client.conf for that? 14:09 < rmull> Actually, never mind. 14:09 < rmull> I'm looking to have a backup vpn server that clients will fail back on if they're behind HTTP proxies 14:10 < rmull> But I may need an extra directive in the conf specifying the location of the proxy anyhow 14:11 < rmull> So I doubt I can use a single client.conf for this. 14:14 < ecrist> no 14:14 < ecrist> you cannot do what you're seeking. 14:15 < ecrist> you could wrap it in a script that would determine whether the user is behind a proxy, and dynamically build a config based on that. 14:17 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 14:18 < rmull> Okay, I'll check it out, thanks bud 14:21 < ecrist> np, that's what I'd do if it were an issue here. 14:23 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Remote closed the connection] 14:26 < kala> ecrist: but then you would need to have your own daemon code and proxy detection and things? 14:27 < kala> it would seem to me that it would make sense to have both UDP and TCP and PROXY servers to the same OpenVPN config file. I know, we would need to write a patch for that :) 14:34 < rmull> Something like that might require logic in the config 14:35 < kala> well, there's logic for TCP servers currently? 14:36 < kala> "single type of servers" 14:36 < kala> to choose another, if first one doesn't respond 14:36 < kala> and to shoose randomly 14:36 < kala> choose 14:37 < rmull> That's true 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:00 < ecrist> kala: it would be stupid easy to write a script as I mentioned. 15:06 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:48 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit [Read error: 110 (Connection timed out)] 15:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:34 < ecrist> evening, kids 17:34 < ecrist> I think I'm going to paint my cupboards today. 17:34 < ecrist> well, the last set of them. 17:38 -!- joyrom [n=mirama@87.19.114.220] has joined ##openvpn 17:39 -!- joyrom [n=mirama@87.19.114.220] has left ##openvpn [] 18:43 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:30 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 19:31 -!- rmull is now known as rmull_ 20:41 < Optic> hi 20:44 -!- preaction [n=doug@68-185-172-125.dhcp.mdsn.wi.charter.com] has joined ##openvpn 20:55 < ecrist> hi 21:20 -!- preaction [n=doug@68-185-172-125.dhcp.mdsn.wi.charter.com] has quit [Read error: 110 (Connection timed out)] 21:22 -!- near [n=near@83-155-187-61.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 22:11 -!- JohnMahowald [n=john@fedora/fedorared] has joined ##openvpn 22:41 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: epsilon, rsc, kala, Bheam, sega01, kraut, rmull_ 22:42 -!- Netsplit over, joins: rmull_, sega01, kraut, rsc, Bheam, kala, epsilon 23:53 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has joined ##openvpn 23:54 < rickb|server> Hello.. This may seem stupid.. But I have openvpn on my server, I didn't set it up and I know practically nothing about it.. To get the certs and keys needed to add a client, how do I do that? Is it on the man page? --- Day changed Wed Aug 20 2008 00:00 < krzee> make new keys and certs 00:00 < krzee> !new 00:00 < vpnHelper> krzee: Error: "new" is not a valid command. 00:00 < krzee> !openvpn 00:00 < vpnHelper> krzee: Error: "openvpn" is not a valid command. 00:01 < krzee> bleh 00:01 < krzee> !howto 00:01 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:01 < krzee> !keys 00:01 < vpnHelper> krzee: Error: "keys" is not a valid command. 00:01 < krzee> !learn keys as http://openvpn.net/howto#pki 00:01 < vpnHelper> krzee: The operation succeeded. 00:01 < rickb|server> I found a good help thing. :p I don't expect people to run me through every step, it's not linux then.. :p 00:02 < krzee> well we'll help ya when you get stuck 00:02 < krzee> but ya you gotta do the reading and trying 00:02 < krzee> just read that 00:02 < krzee> http://openvpn.net/howto#pki 00:02 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 00:02 < krzee> the howto and man page are EXTREMELY good 00:03 < krzee> if you were to read both youd understand a lot about openvpn 00:03 < krzee> and it would not be hard to help you with anything you got stuck at most likely 00:03 < krzee> =] 00:04 < rickb|server> :) 00:04 < rickb|server> Thx 00:05 < krzee> np 00:05 < krzee> ohhh 00:05 < krzee> and if you use freebsd 00:05 < krzee> !sslserver 00:05 < vpnHelper> krzee: Error: "sslserver" is not a valid command. 00:06 < krzee> !ssl-server 00:06 < vpnHelper> krzee: Error: "ssl-server" is not a valid command. 00:06 < krzee> !ssl_server 00:06 < vpnHelper> krzee: Error: "ssl_server" is not a valid command. 00:06 < krzee> bleh whats he call it 00:07 < krzee> !ssl-admin 00:07 < vpnHelper> krzee: Error: "ssl-admin" is not a valid command. 00:07 < rickb|server> Well.. I am trying to create the public key.. I just added the user, chowned and chmod'd all of the appropriate directories.. What next? lol 00:07 < krzee> you in fbsd? 00:07 < rickb|server> I'm actuall on Linux. 00:08 < rickb|server> FC6 00:08 < krzee> !learn ssl-admin as https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:08 < vpnHelper> krzee: The operation succeeded. 00:09 < rickb|server> Does the ssl-admin give you any control over the clients? 00:09 < krzee> its for keeping track of certs 00:09 < krzee> server.conf and ccd entries give you control over the client 00:09 < krzee> go read the howto 00:09 < rickb|server> kk 00:09 < krzee> DO NOT think you will get openvpn up right without it 00:10 < krzee> you may get it working with some website, but you wont understand openvpn and therefor will have problems 00:10 < krzee> read the howto, and you will be at a point where people can help you 00:11 < krzee> if you want it done for you i always accept cash for setting things up ;] 00:11 < krzee> otherwise help is free, but you must read docs 00:12 < rickb|server> krzee: Yeah, you are right, it is worth it for the security though.. 00:12 < rickb|server> I mean, it's a little bit of a hassle at first, but.. Security comes with a price, or a couple cups of coffee. 00:12 < krzee> hah 00:13 < krzee> if you want to know howto do anything, expect to read its docs 00:13 < krzee> its not just about security, its about knowing wtf you're doing 00:16 < rickb|server> lol 00:16 < rickb|server> True. 00:16 < rickb|server> I have it setup nicely, works great, I have my server only showing like 3 public services running with a little help from my firewall, it's prety sweet. 00:16 < rickb|server> (Not me, my friend) :) 00:41 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 00:48 < rickb|server> Ok, I got that.. The client I need to be able to connect to me is running in a non-gui environment, how would I get him online through command line? :) 00:49 < krzee> so you read the howto? 00:49 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 00:50 < krzee> (no, you did not) 00:50 < rickb|server> yeah 00:50 < krzee> no 00:50 < krzee> read the whole howto 00:50 < rickb|server> I may have skimmed, brb. :p 00:50 < krzee> dude 00:50 < krzee> dont bother asking stuff till you read the howto 00:50 < rickb|server> k 00:54 < rickb|server> I see said the blind man as he pee'd into the wind.. 00:55 < aia> Anyone fimilar with getting auth tls server running on windows? 01:24 < krzee> no different than in *nix 01:27 -!- rickb|server [n=admin@cpe-24-29-248-203.neo.res.rr.com] has quit [Remote closed the connection] 02:00 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:02 < aia> How do I do it? 02:02 < aia> any channels talk about it here? 02:05 < BoomSie> =) 02:10 < krzee> !howto 02:10 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:10 < krzee> is this nobody reads the docs day? 02:11 < krzee> http://openvpn.net/index.php/documentation/howto.html#security 02:11 < vpnHelper> Title: HOWTO (at openvpn.net) 03:00 -!- xybr3 [n=xybre@bb4win/users/fluffy] has joined ##openvpn 03:07 < Bheam> hlep.. 'shaper' doesn't work as expected :p 03:07 < Bheam> i put "shaper 50000" in config and now i get 10 sec lag :p 03:08 < krzee> tcp or udp? 03:08 < Bheam> udp 03:08 < krzee> adjusted mtu accordingly? 03:09 < Bheam> didn't think i have to with that big a shape 03:09 < krzee> big? 03:09 < Bheam> 50000 bytes? 03:09 < krzee> thats under 50kb/s 03:09 < Bheam> mtu is like 1400, so that should be like 40 packets/sec 03:10 < Bheam> i don't get it :p 03:10 < Bheam> besides why does mtu even matter, it's a byte-measure 03:10 < Bheam> i see why mtu matters if i choose values low as 1000 03:11 < Bheam> but for 50kb it shouldn't 03:12 < krzee> didnt really analyze it, but its easy to check if its an issue or not 03:12 < krzee> !mtu 03:12 < vpnHelper> krzee: "mtu" is you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml 03:12 < krzee> and you're right 03:12 < krzee> manual does say if its 1000 / s 03:12 < Bheam> yes 03:15 < krzee> i wonder if making it base2 would help any 03:17 < krzee> like 65536 03:17 -!- xybr2 [n=xybre@bb4win/users/fluffy] has quit [Read error: 110 (Connection timed out)] 03:27 -!- Araknozzo [n=asdfcdf@poisson.phc.unipi.it] has joined ##openvpn 03:28 < Araknozzo> hallo. i want to migrate my openvpn server 03:28 < Araknozzo> can i just copy my server ssl keys to the new machines? 04:00 < kala> ecrist: I still disagree that its stupid easy to write a script for fallback from TCP servers to UDP servers. Script in what language? working on Windows, Linux, Mac? 04:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:06 -!- Araknozzo [n=asdfcdf@poisson.phc.unipi.it] has quit ["Lost terminal"] 05:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:20 < ecrist> kala, Mac/BSD/Linux 07:34 -!- rmull_ is now known as rmull 07:46 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has quit ["—I-n-v-i-s-i-o-n— 2.0 Build 3515"] 07:51 < ecrist> the script could be in almost any language. I'd probably use sh, but perl, python, etc, would work. 08:05 < Optic> good morning 08:05 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has joined ##openvpn 08:08 < ke4qqq> hey guys - I have a user using openvpn-gui on winxp. (along with about 40 other users) This particular user has the systray icon disappear on her and of course it causes her to lose vpn control. If she tries to restart openvpn gui she gets an error saying that it is already running. She can close openvpn-gui via taskmgr and restart openvpn-gui and successfully connect, and often stay connected for hours. 08:08 < ecrist> ok 08:09 < ke4qqq> any suggestions on how to make that 'disappearing icon' behavior stop? 08:11 < ecrist> sounds like a bug in openvpn-gui, or windows xp 08:13 < ecrist> what version are you using? 08:14 < ke4qqq> 1.03 08:14 < ke4qqq> I see some list traffic from back in 2005 08:14 < ke4qqq> where matthias was going to have it retry to register up to 10x. 08:16 < ke4qqq> but that was in Sept 2005 08:16 * ke4qqq goes to read recent changelogs 08:16 < ecrist> wow, you know there are much newer versions of openvpn-gui, right? 08:16 < ecrist> erm, was looking at wrong version 08:16 < ke4qqq> that 1.0.3? don't think so. 08:17 < ke4qqq> latest stable is listed as 1.0.3 on the website - this is of the gui not openvpn proper 08:19 < ke4qqq> actually when I download the source of this it doesn't appear that it's been fixed per the changes.txt. 08:20 < ke4qqq> I'll post to the mailing list and ask matthias 08:22 < ecrist> let us know here if you find anything out. 08:23 < ke4qqq> k 08:29 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 08:31 < Whoopie> Hi, I tried to compile OpenVPN 2.1-rc9 for my mipsel-based embedded system. I got a compile error. I made a patch (http://en.pastebin.ca/1179628), but I'm not sure if it's correct. 08:31 < Whoopie> Any hints? 08:33 < ecrist> you'd have to talk to the developers on the mailing list for that one. 08:35 < ke4qqq> openvpn-devel Whoopie 08:36 < Whoopie> ok, thanks. I just saw that a fix was added to the SVN. I'll have a look. 08:40 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has left ##openvpn ["Bye"] 09:39 -!- chadeldridge [n=celdridg@12.109.108.18] has joined ##openvpn 09:41 < chadeldridge> Hello everyone, I am running openvpn on windows 2003 server with microsoft DNS server. I am unable to get my clients to register in dns even though secure updates are turned off in dns and both the server and suffix are pushed to the clients. can anyone help me please? 09:41 -!- araknozzo [n=asdfcdf@poisson.phc.unipi.it] has joined ##openvpn 09:41 < araknozzo> hallo 09:41 < araknozzo> i need to make a vlan on tap0 09:41 < araknozzo> is it possibile? 09:41 < araknozzo> i need to reach a different ip 09:41 < araknozzo> my tap0 is bridged on 192.168.0.1 09:42 < araknozzo> i need from clients to reach a unmodifieble ip 09:42 < araknozzo> 10.0.0.1 09:42 < araknozzo> so on tap0 i have to reach 192.168.0.1 .. and that i do perferctly 09:43 < araknozzo> but i have to reach through a "virtual" 10.0.0.1 which still doesnt exist 09:43 < araknozzo> any idea plz? 09:43 < araknozzo> through tap0* 09:43 < araknozzo> maybe tap0:0 09:44 < araknozzo> a vlan interface with assigned ip? 09:44 < araknozzo> routed with tap0 09:47 < ecrist> araknozzo: sounds like a routing issue 09:47 < ecrist> not a VLAN issue, per se 09:49 < araknozzo> but i need those clients to reach an ip which doesnt exist 09:49 < ecrist> that doesn't even make sense. 09:49 < chadeldridge> not in the least 09:50 < araknozzo> these clients were programmed to make an update on 10.0.0.1 09:50 < chadeldridge> Is there a command for the server config or client config that tells it to register itself in DNS ? 09:50 < araknozzo> nothing works in dns 09:50 < araknozzo> everything on static ips 09:50 < araknozzo> client and server work great 09:51 < araknozzo> and external application on client needs to connect on 10.0.0.1 09:51 < araknozzo> i need to simulate this ip trought 192.168.0.1 09:51 < chadeldridge> that cant be true ,..there is options to push dns and wins .. registration to wins works fine .. but not dns 09:51 -!- preaction [n=doug@static-72-1-4-143.ntd.net] has joined ##openvpn 09:51 < araknozzo> what am i supposed to do with wins? 09:51 < araknozzo> i got none 09:52 < chadeldridge> 2 seperate issues ... sorry .. read above your wall o text 09:52 < chadeldridge> nevermind .. you came in after 09:53 < araknozzo> kkk 09:53 < ecrist> chadeldridge: didn't see your post, sorry. 09:53 < chadeldridge> \ufeffHello everyone, I am running openvpn on windows 2003 server with microsoft DNS server. I am unable to get my clients to register in dns even though secure updates are turned off in dns and both the server and suffix are pushed to the clients. can anyone help me please? 09:53 < chadeldridge> there ya go :-D 09:53 < ecrist> you issue isn't an OpenVPN issue, it's a DNS issue. 09:53 < chadeldridge> not really ... its openvpn failing to send the registration to dns 09:54 < chadeldridge> packet sniffer shows no port 53 traffic is actually occuring when the client connects 09:54 < chadeldridge> although wins works 09:54 < ecrist> you using bridge or routed vpn? 09:54 < chadeldridge> routed 09:55 < chadeldridge> server 10.29.0.0 255.255.255.0 09:55 < chadeldridge> push "dhcp-option DNS 10.29.0.1" 09:55 < chadeldridge> push "dhcp-option DOMAIN commandassist.local" 09:55 < chadeldridge> those look right ? 09:55 < ecrist> yep 09:55 < chadeldridge> server being .1 and dns running on .1 09:56 < ecrist> the client should be sending the update to DNS, not the DHCP server. 09:56 < ecrist> which means it's not an openvpn issue, directly. You may be blocking traffice for the updates, or your clients aren't properly configured. 09:57 < chadeldridge> is there something that should be in the client config ? 09:57 < ecrist> no, it's a function of the client machine's network stack. 09:57 < chadeldridge> so windows then .. /sigh 09:57 < chadeldridge> let me try my unix machine have yet to test on it 09:57 < chadeldridge> 1 sec 09:58 < ecrist> fwiw, I have windows machines here that seem to work that way just fine. 09:58 < ecrist> my guess is a firewall problem. 09:58 < chadeldridge> i have that machine on DMZ 09:58 < chadeldridge> well wait ... i have that machines real ip on DMZ 09:59 < chadeldridge> i wonder if i need to do the internal 10.29.x.x net as well 10:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 10:03 < ecrist> somebody buy me these LG monitors. 10:03 < ecrist> I'll be your friend *forever* 10:03 < chadeldridge> lol 10:03 < chadeldridge> still no go for me ... added both the 10.29.0.0/24 and the external IP on DMZ and same result 10:03 < chadeldridge> /sadface 10:04 -!- araknozzo [n=asdfcdf@poisson.phc.unipi.it] has quit ["leaving"] 10:05 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 104 (Connection reset by peer)] 10:12 < chadeldridge> just a question ... if a machine was a member of an AD would it register its DNS with a machine that is not in that AD or in a differnt domain suffix ? 10:13 < ecrist> not sure on that one. sounds like a #windows question 10:14 * ecrist doesn't use windows anymore 10:14 < ecrist> nothing against it, just a skill that's slowly slipping away. 10:14 < chadeldridge> yeah .. i agree .. i use linux all day, but have to support some of these stupid windows apps written 100 years ago it seems 10:15 < ke4qqq> neither do I - thats part of the problem 10:16 < ke4qqq> it just works for me in Linux..... 10:16 < chadeldridge> yeah .. my linux box registered just fine .. its windows ip stack being non-standard and horribly written 10:16 < chadeldridge> *standards ... wtf are standards .. lol 10:16 < ke4qqq> but chadeldridge - it will try to report it's location to DNS server - but it's up to the DNS server for if it will accept forward that on 10:17 < chadeldridge> yeah .. i have actually tried a few dns servers on this box .. but its something in the 2k3 ip stack that seems to say no to the traffic 10:17 < chadeldridge> no idea what is causing it .. but still looking 10:17 < ecrist> try tcpdump, see if there's something obvious 10:18 < chadeldridge> am now 10:18 < chadeldridge> along with wireshark 10:18 -!- preaction [n=doug@static-72-1-4-143.ntd.net] has quit ["Leaving"] 10:19 < chadeldridge> bbl .. thanks all 10:24 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:35 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:45 < plaerzen> Hello channel 11:45 * plaerzen is back from vacation. 11:49 -!- mto [n=richard@CPE000129fda0dd-CM0016b5312c66.cpe.net.cable.rogers.com] has joined ##openvpn 11:50 < mto> \ufeffHey guys! I am having trouble with openvpn. I can get an authenticated connection, but I am not getting a local IP on the tun0 device. ideas? 11:50 < mto> Connections from windows with the same config work fine, so its something at the ubuntu client end... 11:52 < chadeldridge> when you say the same config do you mean the exact same config .. because the formatting for inside unix and the formatting for windows is different 11:52 < chadeldridge> on the config file level that is 11:55 < mto> Well... ubuntu's network manager didn't seem to actually be loading in the file, so I manually entered in all the data. If I used the commandline, I used the same file. 11:55 < mto> You mean lines ending with carriage-returns and line feeds, right? 11:56 < chadeldridge> well for example in the windows version of the config.ovpn you have to \\ directory location as where in unix you dont ... other differences like that 11:56 < chadeldridge> are you starting the config file manually from the shell ? 11:58 < ecrist> mto: have you tried manually running openvpn as root, instead of going through connection manager? 11:59 < chadeldridge> yeah .. may want to try to sudo the openvpn command and see what happens 11:59 < mto> Yeah. I have a file gloplug.ovpn. I run "sudo openvpn gloplug.ovpn". It connects, asks for a username/password, does a bunch o' stuff, and tries to add some routes (which fail) and then says "initialization sequence completed" but if I now look at ifconfig or route -n, there is no IP on tun0, and I cannot reach anything in the office. 12:00 < mto> I just removed all the ^M's from the file, that made no difference. 12:02 < chadeldridge> so the issue is the route addition failing ? 12:03 < ecrist> the route additions fail because the IP isn't assigned. 12:03 < ecrist> mto: sounds like you've got a conflict of some sort between the client and server. 12:03 < mto> I think that's secondary. "ifconfig tun0" does not show an ip address. Therefore, I have no route to 10.10.4.1, and therefore any route I add with "... gw 10.10.4.1" is guaranteed to fail. 12:03 < ecrist> can you paste your client config for us? 12:04 < chadeldridge> yeah i would like to see your config 12:04 < mto> sure. hold on. 12:05 < mto> http://pastebin.com/m4c126d87 12:09 < chadeldridge> dont you need to specify dev tun or dev tap in the config file ? 12:10 < mto> there's a line in there, 8th from the bottom "dev tap". Is that not right? I assumed it was because it worked with windows. 12:10 < chadeldridge> sorry missed it .. 12:10 < chadeldridge> but you are using tun and not tap .. correct ? 12:10 < chadeldridge> not sure if it makes a diff 12:11 < chadeldridge> my client config is massively less complex than yours so im shootin in the dark here. we do everything via CCD on the server 12:12 < mto> I think I confused myself with tap vs tun. I *thought* I saw a tun device earlier, but right now, I see a /dev/tap0... But it still doesn't have an IP, so the symptoms haven't changed... 12:13 < ecrist> mto: what kind of vpn do you have? 12:13 < ecrist> tun or tap? 12:13 < ecrist> the server and client need to match. 12:13 -!- near [n=near@88-122-30-103.rev.libertysurf.net] has joined ##openvpn 12:15 < mto> the server is running zeroshell. which is a sort of bundled opensource firewall thingy. It created the .ovpn file. AFAIK, its using a tap device, and I see a tap device on my machine. I misspoke earlier when I called it a tun device. 12:26 -!- SilenceGold [n=chris@adsl-70-232-106-91.dsl.ltrkar.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:26 -!- SilenceGold [n=chris@70.232.106.91] has joined ##openvpn 12:28 < mto> hmmm. If I do an "ifconfig tap0 10.10.4.200 netmask 255.255.255.0" and then manually add routes, it works fine. Unfortunately, .200 is a randomly chosen IP, so its not a solution I can share across the corporation. 12:34 < ecrist> mto - as I said, your routes are failing because there's no IP being assigned. are you using statically assigned IPs? 12:36 < mto> I'm trying to figure out what the server is doing. It should be dynamic, because I'm not supposed to need to go to the server every time another user wants to set up a vpn from a new laptop. 12:37 < ecrist> you said linux clients work OK? 12:38 < mto> Windows clients work OK, linux clients do not. 12:38 < ecrist> hrm, there should be no difference. 12:39 < ecrist> our network here has Mac, Linux, FreeBSD, and Windows 98/XP working fine with dynamic IPs. 12:40 < mto> I'm seeing these 2 lines in the openvpn server log: 13:20:58 99.234.87.233:63626 [admin] No Virtual IP automatically assigned" and "13:20:58 admin/99.234.87.233:63626 MULTI: no dynamic or static remote --ifconfig address is available for admin/99.234.87.233:63626" 12:40 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has joined ##openvpn 12:40 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 12:52 < chadeldridge> why wont dns just work .. its making me crazy 12:54 < ecrist> can you paste your server config and your logs, please? 12:54 < chadeldridge> sure let me pastebin them both 12:55 < chadeldridge> !pastebin 12:55 < vpnHelper> chadeldridge: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 12:55 < mto> I think I fixed it. It looks like the server didn't have a properly configured dynamic IP range set. 12:55 < ecrist> :) 12:57 < chadeldridge> www.pastebin.ca/1179859 12:57 < chadeldridge> is the server config 12:58 < chadeldridge> what else would you like to see / 12:58 < ecrist> logs 12:59 < chadeldridge> not much to see in the logs .. but posting 12:59 < chadeldridge> http://www.pastebin.ca/1179863 13:00 < chadeldridge> you want the ccd for a client as well / 13:01 < chadeldridge> i have 2 types of clients .. local and admin ... local gets 10.29 and admin gets 10.30 via ccd 13:01 < chadeldridge> local cant see local .. but admin can see all 13:02 < ecrist> sure, more info I have, the better I can help you out. 13:02 < chadeldridge> ok 13:03 < chadeldridge> the ccd is nothing more than the static ip being pushed .. and the route to the other network 13:03 < chadeldridge> and all of that works fine .. just dns doesnt ... although wins does just fine 13:05 < chadeldridge> i am using ms dns server and allow non-secure updates is checked 13:05 < ecrist> so, only admins have a ccd entry, right? 13:05 < chadeldridge> yes 13:05 < chadeldridge> correct 13:05 < chadeldridge> local users just get a dynamic 13:05 < chadeldridge> in the 10.29 range 13:06 < ecrist> and the DNS server is 10.29.0.1? 13:06 < chadeldridge> both those ips 10.29 and the 12.109 address are the same machine and yes that is the dns server 13:07 < ecrist> iirc, windows won't send DNS updates to a DNS server off it's own subnet 13:07 < chadeldridge> ahh 13:07 < ecrist> so 13:07 < chadeldridge> well that could be a problem 13:07 < fzzzt> Hi guyes, wonder if you can help me figure something out. I need to move a machine between locations, but still access it securely from both locations, so I would like to use OpenVPN. It's currently on 10.0.1.2/29 and will be moving to 10.0.1.65/29 at the new place. Is is possible to connect two networks like that with OpenVPN in such a way that the current clients can still talk to 10.0.1.2/29 and it gets routed through to 10.0.1.64/29, 13:07 < fzzzt> transparent to the client? 13:07 < chadeldridge> although once connected to openvpn they are kinda on the same 13:08 < fzzzt> eek 13:08 < chadeldridge> although 'ras' connections may just not be able to register 13:08 < chadeldridge> do you think that may be the case / 13:09 < ecrist> fzzzt: you'd have to do some IP redirect stuff. 13:09 < ecrist> I know pf can handle that for you. 13:09 -!- patok [n=patok@r9ay214.net.upc.cz] has joined ##openvpn 13:10 < ecrist> is it the end of the world for them to not register? 13:10 < fzzzt> hmm 13:10 < ecrist> if you really need them to, add an IP for the DNS server on the 10.30 subnet and push proper DNS server via dhcp-option 13:11 < chadeldridge> yeah basically it breaks the entire system 13:12 < chadeldridge> if i was using linux server for this and bind would i have the same issue 13:13 < chadeldridge> so you mean maybe running a client machine that is connected to openvpn that is running the dns server / 13:13 < ecrist> you confused me there. 13:13 < chadeldridge> lol sorry 13:14 < chadeldridge> basically they will not register if they are not on the same subnet through windows .. correct 13:14 < ecrist> yes, i believe so. 13:14 -!- mto [n=richard@CPE000129fda0dd-CM0016b5312c66.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 13:14 < chadeldridge> what if i setup a machine that connected via openvpn and ran the dns server and i pointed the clients to that machine for their dns 13:14 < patok> hi, need help, please... when I have freebsd router with LAN after it and on the router I'm running OpenVPN... when I connect VPN from linux, everything works OK, but when I connect from windows, there is problem with netbios names resolving... so question is - can windows OpenVPN clients resolve netbios names? thx 13:15 < chadeldridge> i dont think you can resolve netbios through openvpn without wins or dns .... 13:16 < chadeldridge> maybe wrong though 13:17 < ecrist> chadeldridge: why aren't you just using bridging? 13:17 < ecrist> you would do away with all these problems. 13:17 -!- Pride [i=platyna@platinum.edu.pl] has joined ##openvpn 13:17 < Pride> Hello. 13:17 < ecrist> hello 13:17 < Pride> It seems that you have broken configure. 13:18 < Pride> 'gcc: `-V' option must have argument' 13:18 < Pride> And configure fails. 13:18 < ecrist> I have broken nothing. 13:18 < chadeldridge> i not sure we can with the config we have to maintain. here is our situation. we use this for a client connection into our building. clients cant have the ability of seeing other clients and internal admins have to be able to see all them. i thought routing was the only way to accomplish this 13:18 < Pride> I have looked in the configure code. 13:19 < patok> chadeldridge: ok, so when I install samba wins server on router, it should works? 13:19 < chadeldridge> push the wins address to your clients and that should resolve your names fine yes 13:19 < Pride> ecrist: You are a developer of OpenVPN? 13:19 < ecrist> chadeldridge: that's what firewalls are for. 13:19 < ecrist> Pride: no. 13:20 < ecrist> I don't think anyone here is. 13:20 < Pride> Mhm. OK. See you then. 13:20 -!- Pride [i=platyna@platinum.edu.pl] has left ##openvpn ["Live Free Or Die!"] 13:20 < patok> chadeldridge: ok, so it's not so painful :) 13:20 < patok> thx :) 13:20 < ecrist> lol 13:20 < chadeldridge> nah 13:21 < chadeldridge> ecrist ... thanks for you help .. its at least keeping me thinking 13:21 < chadeldridge> been working on this for days now 13:21 < ecrist> np 13:21 < chadeldridge> just not sure why dns is being such a pita 13:21 < ecrist> it's a subnetting issue. 13:22 < chadeldridge> yeah i think so too 13:22 < chadeldridge> do you think the client connected dns server would work / 13:22 < ecrist> you *may* be able to config the network stack to update, regardless of subnet, somewhere. 13:22 < ecrist> chadeldridge: shouldn't even be that hard. 13:22 < chadeldridge> network stack of the server or the clients / 13:22 < ecrist> just give the DNS/VPN server an IP on the 10.30 subnet. 13:22 < chadeldridge> well that subnet doesnt really exist .. its created by openvpn 13:23 < ecrist> so? 13:23 < ecrist> you can still assign an IP to the server, or tell DNS to listen to 10.30.0.1 13:24 < chadeldridge> well i could i guess hardcode a 10.30 address to the network card.... but how would that be any different than the 10.29 address already used on the tap adapter / 13:25 < ecrist> because the clients on 10.30 would be on the same subnet 13:25 < ecrist> better yet, why not give the admins their own vpn instance? 13:25 < ecrist> will a different config? 13:25 < chadeldridge> well no one can register dns .. not 10.29 or 10.30 clients 13:26 < ecrist> hrm, you implied above that only the 10.30.x clients had problems. 13:26 < chadeldridge> ohh no sorry .. both subnets are dead for dns 13:26 < chadeldridge> my fault .. bad explination 13:28 < ecrist> I don't know, then. I don't think it's a VPN thing, as OpenVPN doesn't do filtering at all. 13:29 < chadeldridge> k 13:30 -!- plik [i=gorph@phalse.2600.COM] has joined ##openvpn 13:30 < plik> hi 13:30 < ecrist> howdy 13:34 < plik> I'm trying to set up openvpn 2.0.6 on FreeBSD 7.0 (from Ports), following the howto, to build-ca but I get a permission denied error... 13:34 < plik> [root@brian /usr/local/etc/openvpn/easy-rsa]# . ./build-ca 13:34 < plik> bash: /usr/local/etc/openvpn/easy-rsa/pkitool: Permission denied 13:34 < plik> any suggestions please? 13:34 < ecrist> update your ports tree, first 13:34 < ecrist> current version is 2.0.9 13:34 < ecrist> actually 13:35 < ecrist> !freebsd 13:35 < vpnHelper> ecrist: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:35 < plik> ok, that'll be a good start thanks 13:35 < ecrist> if you have questions, let me know 13:35 < ecrist> I wrote that. 13:35 < plik> cheers :) 13:35 * plik goes to upgrade & read 13:52 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has joined ##openvpn 13:52 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has left ##openvpn [] 13:53 -!- DaPrivateer [i=Privatee@crimson.66fruit.com] has joined ##OpenVPN 13:54 -!- chadeldridge [n=celdridg@12.109.108.18] has left ##openvpn [] 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:08 < ecrist> afternoon, krzee 14:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:09 < ecrist> well, fuck you then. 14:09 < ecrist> :\ 14:09 < tcccp> lol 14:09 < ecrist> sure, 'Connection reset by peer.' That's what my last girlfriend said when I asked why she broke up with me. 14:09 < tcccp> odd 14:09 * ecrist runs away, flailing his arms, sobbing. 14:10 < patok> can be dhcp server pushed explicitly in configuration file please? now I see I have 192.168.x.0 instead 192.168.x.1 as an DHCP server.... its strange. 14:10 < ecrist> patok: I don't follow. 14:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:16 < krzee> !tcp 14:16 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:17 * ecrist wishes his last name was Titz 14:19 < krzee> hah 14:21 < cpm> ecrist, you'll pay for that in the afterlife. 14:22 < ecrist> cpm, it's a long list, one more thing won't hurt any. 14:23 < cpm> very well. 14:23 < cpm> your punishment begins now. 14:23 < cpm> http://www.badgerbadgerbadger.com/ 14:23 < vpnHelper> Title: Badger Badger Badger.com! The Original Dancing Badgers! (at www.badgerbadgerbadger.com) 14:23 < cpm> view it, and keep viewing it. 14:25 < ecrist> is there an end? 14:25 < ecrist> loops after snake? 14:25 * ecrist gouges out his eyes.. 14:26 < ecrist> I think the snake part is the worst. 14:28 * ecrist can't believe he's still watching it. 14:28 < cpm> are you sorry now! 14:29 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Connection timed out] 14:29 < ecrist> ew: http://www.badgerbadgerbadger.com/footy.html 14:29 < vpnHelper> Title: Footy and the Football Badgers England England England (at www.badgerbadgerbadger.com) 14:31 < ecrist> that one keeps track of the number of loops with the 'score' 14:41 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 < patok> I've realised that my OpenVPN client gets everytime the same address - it is the first in the range in DHCP pool, so I would say it gets lease from DHCP server properly, but on the DHCP server is not an information about it at all and it causes IP address asign conficts then... Have anyone ever see something like that? :-O 14:56 < ecrist> patok: are you using OpenVPN as your DHCP server for VPN clients, or do you have a different server you're using? 14:58 < patok> I use dnsmasq on the same server as OpenVPN runs on. 14:59 < ecrist> sounds like OpenVPN is acting as the DHCP server and your VPN subnet and local subnet overlap 15:01 < rmull> I'd agree with that. 15:01 < rmull> patok: Bridged or tunneled? 15:04 < patok> bridged 15:06 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: krzee 15:06 -!- Netsplit over, joins: krzee 15:07 < patok> maybe you have right, yeah... I use pfSense on the router... there is "Dynamic IP (Assume dynamic IPs, so that DHCP clients can connect.)" checked - maybe I could try to uncheck it... 15:07 < patok> now I'm not sure if I've understood pfSense documentation well... 15:13 < rmull> patok: Do you have the "server-bridge ... " directive in your server.conf? 15:13 < rmull> If so, that defines the pool of IPs openvpn assigns. 15:13 < rmull> Either change that to a pool outside of the DHCP range, or comment that directive out so that DHCP leases go out to the clients. 15:14 < rmull> However, if you use a DHCP server to assign addresses to bridged clients, you have to configure it so that MAC addresses starting with 00:FF:... don't get their default gateway reassigned. 15:14 < rmull> It's in the HOWTO 15:17 < patok> aha, maybe it will be better to define one pool for LAN and second for VPN clients, how I see.... and now I've finished unfortunately :)) unchecking options I'd been talking about lead to the cutting off the vpn... :) 15:19 < patok> but thanks a lot... I'll try it tomorrow - it sound like really good hint, and I'm quite sure it will work then. 15:26 -!- ke4qqq [n=ke4qqq@64.89.94.194.nw.nuvox.net] has quit ["Konversation terminated!"] 15:26 < rmull> patok: Good luck. Make sure you read the DHCP caveat in the HOWTO. 15:28 < plaerzen> hey guys; what do you all use for password management in the organization? 15:28 < plaerzen> just curious 15:36 < rmull> plaerzen: Did you ever get that netflix code I sent you? 15:42 * plaerzen shakes his head. 15:42 < rmull> okay, one sec 15:42 < plaerzen> I was away all weekend, monday and tuesday 15:42 < plaerzen> thanks 15:43 < rmull> Enjoy 15:44 < plaerzen> rmull: ..... hrm, does netflix work in canada? 15:46 < plaerzen> ah shit, it seems like it doesn't 15:49 < plaerzen> rmull: might as well give it to someone else 15:49 < rmull> plaerzen: :( 15:49 < rmull> Hokay 15:49 < rmull> Free netflix for sale 15:51 * plaerzen is a sad panda. 15:59 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 15:59 -!- fzzzt` [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has joined ##openvpn 16:09 < patok> rmull: ok, thx again... I'm going :) bye 16:09 -!- patok [n=patok@r9ay214.net.upc.cz] has left ##openvpn [] 16:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 16:37 < plaerzen> I'm going to hang out in security for a little while. Need to talk about some security related subjects. 16:37 < plaerzen> bbl 16:37 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit ["[BX] I wonder what this button marked "EOF" does..."] 16:54 -!- fzzzt` [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has quit ["Leaving"] 17:02 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 17:02 < plaerzen> #security sucks 17:11 < rmull> lol plaerzen 17:56 < plaerzen> ldap, kerberos oh my. I wish credential management was easy. 18:09 < onre> i've actually thought of running ldap with cleartext auth in environment where no data gets moved across non-vpn connections 18:09 < onre> because setting up ldap authentication etc in diverse environments can be a royal PITA 18:16 < plaerzen> yeah. We have alot of diversity I want to try and integrate into one system. 18:16 < plaerzen> But... I don't know if it's realistic 18:31 < onre> well, it's supposedly feasible... depending on what are the exact features you'll need. 18:32 -!- adie [n=adie@tapeworm.5sh.net] has joined ##openvpn 18:34 < adie> I've just been caught by the "--script-security" option in debian lenny.. my working vpn config has broken, failing on executing the script. 18:35 < adie> /usr/sbin/openvpn --script-security 2 --writepid /var/run/openvpn.TrLe-UDPTun.pid --daemon ovpn-TrLe-UDPTun --status /var/run/openvpn.TrLe-UDPTun.status 10 --cd /etc/openvpn --config /etc/openvpn/TrLe-UDPTun.conf 18:36 < adie> fails with: ovpn-TrLe-UDPTun[6873]: script failed: could not execute external program 18:36 < adie> removing the reference to the "up" script in my config fixes the problem... any suggestion/ideas? 18:37 < adie>  18:41 < plaerzen> onre: well, I want to integrate with salesforce, google apps, ssh, vpn... and have employees all see and manage their own credentials 18:42 < plaerzen> using a web form of some kind 18:46 * adie spots his problem with a quick strace.. 18:46 < onre> that might get quite hairy and scary 18:46 < onre> adie, right on :) 18:46 < adie> version 2.1_rc9 seems to have changed the way it calls scripts significantly.. you can't do: 18:47 < adie> up "/path/script.sh myarg" 18:47 < plaerzen> onre: yes. I won't develop any system myself. I will see if we can get a shrink wrapped solution (most likely not) or just do some basic ldap stuff 18:48 < adie> anymore.. it'll try to execve the whole string, rather than just the script with the arg. 18:50 * plaerzen waves. 18:51 < plaerzen> ok, home time. peace out. 18:51 < plaerzen> until tomorrow. 19:41 < ecrist> evening, kids 19:43 < ecrist> onre: what're your needs in an authentication system? 20:54 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: dogmeat, onre 21:38 -!- near [n=near@88-122-30-103.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:39 -!- near [n=near@88-122-21-114.rev.libertysurf.net] has joined ##openvpn 21:52 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 22:04 -!- SilenceGold [n=chris@70.232.106.91] has quit [Read error: 110 (Connection timed out)] 23:20 < Optic> moo 23:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Thu Aug 21 2008 01:34 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:00 < kraut> moin 02:04 < krzee> !kraut 02:04 < vpnHelper> krzee: "kraut" is moin 02:31 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 02:31 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 02:47 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 04:22 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 145 (Connection timed out)] 04:34 -!- djs [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 05:07 -!- djs [n=djs@unaffiliated/djs26] has joined ##openvpn 05:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 < krzee> http://digg.com/security/EFNet_IRC_net_and_Website_get_hacked 06:03 < vpnHelper> Title: Digg - EFNet IRC net and Website get hacked (at digg.com) 06:33 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has quit [Remote closed the connection] 06:40 < ecrist> good morning kids 06:55 -!- steve [i=steve@bouncer.stephen.marsh.name] has joined ##openvpn 06:55 < steve> hi all 06:55 < ecrist> morning 06:56 < steve> I was wondering whether it's possible to direct all routing via a VPN, so I can connect to internet destinations via the VPN rather than just on the local subnet? 06:56 < steve> so effectively my default route would be the VPN 06:56 < steve> but obviously i'd need a route for the VPN over the real connection 06:56 < steve> this is on a windows client btw 06:56 < ecrist> yes, have you read the documentation? 06:57 < steve> I couldn't find anything which explained that particular question 06:57 < ecrist> !howto 06:57 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:57 < steve> could you direct me to the relevant section? :) 06:58 < ecrist> seriously. go to the link above, read the bulleted topics at the top. You'll find the exact topic you're looking four about half way down. 06:58 < ecrist> :\ 06:59 < steve> got it.. sorry :) 07:30 < rmull> mornin doods 07:35 < adie> has anyone tried openvpn with a via nano cpu/system yet? if so what throughput do you get? 07:41 < cpm> I get 1 dollar 07:50 < rmull> adie: I'd imagine pretty good throughput if you have the Padlock stuff configured correctly. 08:03 < adie> rmull: well the old stuff had trouble pushing 40mbit over the wire due to choking on bus bandwidth.. 08:04 < adie> the padlock specs are pretty good... I'm wanting to do gbit crypto, and there's nothing software/oss available that works. 08:07 < rmull> adie: Oy, 40Mbit is a lot, yeah, I'm not sure about that 08:07 < rmull> I ran some benches on my VIA C7 (not nano) with padlock enabled 08:08 < rmull> But they were just openssl speed tests 08:10 < plaerzen> morning irc 08:22 < sega01> is there a useful way to see svn changes? 08:22 < sega01> http://svn.openvpn.net/projects/openvpn/branches/BETA25/openvpn/ is not helpful 08:22 < vpnHelper> Title: Revision 3259: /branches/BETA25/openvpn (at svn.openvpn.net) 08:26 < sega01> nevermind 08:27 < sega01> 2.5 hasn't been changed since december 2005 :-( 08:31 -!- Bushmills [n=nnBushmi@verhau.de] has joined ##openvpn 08:39 < adie> rmull: I'm currently getting around 300mbit/s on a xeon, and connection roundrobining accross multiple openvpn tunnels to get best speed.. but I want 1gbit. :-/ 08:43 < cpm> do you get 1gbit against raw ftp? 08:44 < cpm> raw ftp it my favorite benchmark of actual net performance. 08:44 < cpm> s/it/is 08:46 -!- Bushmills [n=nnBushmi@verhau.de] has left ##openvpn ["Leaving."] 08:47 < sega01> netcat would work well 08:47 < sega01> but ftp is more realistic for "real world" throughput 08:47 < sega01> then again, ftp has very little overhead at all 08:50 * ecrist roars. 08:50 < rmull> ftp pisses me off. 08:51 < ecrist> lol, why's that? 08:52 * ecrist is working on renumbering his network today. 08:53 < cpm> Ewwww! 08:53 < cpm> why are you renumbering? 08:55 < ecrist> more just moving hosts around. 08:56 < ecrist> there's a lot of legacy numbers in there that don't need to be. 08:56 < ecrist> for example, my web server has like 8 IPs right now. 08:56 < ecrist> doesn't need that many any more. 08:57 < ecrist> and, I want to open a few up for DHCP from VoIP phones and such, since the apple airport extreme base station doesn't want to play nice with my voip phone. 08:57 < ecrist> :( 08:57 < plaerzen> nerd 09:02 < cpm> yeah, nerd! 09:03 * cpm give ecrist a wedgie 09:03 -!- abien [n=abien@watergate.tradehaven.de] has joined ##openvpn 09:05 < abien> My opinion is that i should be able to bundle/channel multiple DSL lines (from different providers) with a semi-advanced openvpn setup involving bonding of tap devices.. Anyone disagree or can kindly point me to a howto about this or similar topics? 09:06 < abien> or tell me im wrong and it will never work :x 09:06 < cpm> I radically disagree. Good luck. 09:07 < cpm> doing something akin to ad-hoc bgp with dsl is certainly doable. 09:07 < cpm> folks do it. 09:07 < cpm> There are 'black box' approaches to this, and that is definitely the most painless approach 09:08 < abien> yeah but its 3k a pop and i really think that inside theyr just using the same technique 09:08 < cpm> now, doing a vpn over it will encounter issues. As you are not going to be able to propgate and publish a route as you would if you were running bgp, you will not necessarily achive full duplex speed. 09:08 < cpm> naw, you can get them much cheaper than that. 09:09 < cpm> more like $1K to $1.5K or there abouts. 09:09 < cpm> still cheaper than a decent router. 09:09 < abien> Hmm.. ok im gonna read up. i still think it can be done though. as long as you control both endpoints you should be able to do pretty much anything 09:09 < ecrist> anyone here a dhcpd guru? 09:09 < abien> i didnt mention i control both endpoints though.. 09:10 < abien> the idea is to make the VPN go from the dsl lines to a server in a colocation 09:10 < abien> and goto the www from there.. 09:10 < cpm> true, you didn't. Might be easier then, but again, since you don't control the entire route, it's still sketchy. 09:11 < ecrist> abien: you'd have to setup BGP on either side and build a vpn tunnel across the each link 09:11 < cpm> if both of your providers otoh, will do ebgp for you, and publish your route, should be just like doing a regular multihomed subnet. 09:11 < cpm> ah, that's an interesting approach. 09:11 < abien> In my head i shouldnt have to use bgp 09:11 < cpm> do ibgp, across multiple vpns, 09:11 < cpm> hmm, that's interesting 09:12 < cpm> abien, what, you mean like doing mlppp ? 09:12 < ecrist> ick, that would be nasty 09:12 < cpm> truely. 09:13 < abien> one vpn across each link, results in 3 vpn tunnels. take those 3 tunnel interfaces (tap1 - tap3) and bond them resulting in bond0 distrbuting incoming packets via the attached devices (tap 0 - tap3) 09:13 < abien> sind it a layer2 tunnel, it shouldnt need any routing protocol 09:13 < abien> maybe i cant explain it to well, but in my head it looks really good ! :P 09:13 < cpm> I think you will drop packets like water out of a noodle strainer. 09:14 < cpm> but you could lab it up, and give it a try. 09:14 < cpm> that wouldn't be *that* hard to mock up. 09:17 < abien> yeah 09:18 < abien> i was just gonna check, if theres a obvious reason why it shouldnt work. 09:18 < abien> so i dont spend the day for nothing :P 09:18 < plaerzen> ugh. At least you have something interesting to work on. 09:18 < plaerzen> I have to go visit a client and troubleshoot our new data backup solution. 09:18 * plaerzen sighs. 09:19 < abien> yeah well.. i made the mistake to publicly announce to my coworkers that my setup would solve our problems 09:19 < abien> so now it better work 09:19 < cpm> plaerzen, is that it that different from your old data back up solution? 09:19 < cpm> abien, yeah, that was a mistake. 09:19 < cpm> but that's how you learn. 09:19 < plaerzen> cpm: yeah, our old one was rsync over ovpn. This new 3rd version is a 3rd party software 09:20 < cpm> plaerzen, yer doing off site? 09:20 < plaerzen> cpm: yeah 09:20 < cpm> which 3rd party? 09:20 < plaerzen> storagepipe 09:20 < cpm> interesting to learn what you find out. 09:20 < plaerzen> so far I have mixed emotions. It's got a nice interface, seems pain free, etc. However I can't see a list of all files each client has backed up..... 09:21 < plaerzen> And that's fairly important 09:21 < cpm> umm, well, the restore dialogues should give you a clue, eh? 09:21 < plaerzen> But, they say they can backup read-locked files.... so if they can do that, it will solve much of our problems 09:22 < plaerzen> cpm: yeah I'm going to the client (beta) site today to check it out - see what information I can glean from the client interface. 09:22 < cpm> abien, it's an interesting problem. What is it predicated on? I'm guessing it's a remote office issue? 09:24 -!- hulatang [n=hulatang@216.129.199.133] has joined ##openvpn 09:24 < hulatang> is there any hardware device that act as openvpn server that's easy to configure? 09:25 < hulatang> I used openvpn server with smoothwall firewall, the configuration is difficult imo 09:25 < cpm> there isn't anything simple about vpns 09:25 < cpm> it's not a simple task. 09:25 * plaerzen nods. 09:26 < plaerzen> I'm actually surprised it's not called sovpn (in the same vein as smtp, sasl, soap, etc) 09:27 * plaerzen laughs at his own joke. Haaaa..... 09:30 < ecrist> hulatang: install freebsd on a box and configure openvpn. 09:31 < ecrist> !freebsd 09:31 < vpnHelper> ecrist: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:31 < hulatang> thx 09:33 < plaerzen> !lag 09:33 < vpnHelper> plaerzen: Error: "lag" is not a valid command. 09:33 * plaerzen is feeling silly. 09:33 < plaerzen> afk, smoke break 09:33 < cpm> at the core of the issue, is that folks don't really get what a vpn is. The massive confusion betwixt routing and bridging speaks to this, , loudly. 09:34 < plaerzen> routing confuses me daily 09:34 < plaerzen> rcmd 09:35 < cpm> routing is yet still another classic, if you don't get it, you really don't get it. once you get it, while it's easy to miscalculate stuff, it's simple to understand. 09:39 < ecrist> most people in here with questions have routing questions. 09:40 * ecrist changes channel to #routing 09:42 < adie> isn't #lartc for that? 09:42 < abien> a tap device will automaticly get an ip adress, but it doesnt have to have one correct? after the tap-tunnel is established, i could ifconfig tap0 0.0.0.0 without impact ? 09:43 < abien> i just want layer2 tunneling 09:43 < adie> cpm as I said, I only get around 300mbit/s... I want gbit. 09:44 < cpm> do you get 1gbit against raw ftp? 09:47 < adie> erm you mean over raw ether? 09:47 < adie> well I get 2gbit with two tcp streams accross the line. 09:47 < adie> (duplex of course). 09:47 < cpm> I mean over the same path as you wish to get yer 1gbit over vpn 09:49 < adie> aye 09:49 < adie> the problem is my vpn processes are cpu bound 09:49 < adie> I can only crypt at 300ish mbit/s per stream 09:50 < cpm> umm, well, yeah. 09:50 < adie> as that's 100% cputime. 09:50 < cpm> ya need more power capt'n! 09:51 < adie> so I'm wondering if the via nano cpu systems have enough bus bandwidth combined with the padlock stuff to push 1gbit of aes256 09:51 < rmull> adie: Here's that benchmark I mentioned a bit ago: http://deconfused.org/etc/crypto.txt 09:52 * cpm yawns 09:53 < rmull> So I'd be inclined to say no, that the VIA systems can't push a gigabit of crypto traffic through padlock, and so you won't get the gig across your bus 09:53 < rmull> Actually, I take that back 09:53 < cpm> ya want huge bandwidth on a cryptographic link, there are hardware solutions. They've fallen out of favor due to the low cost of cpu power. 09:53 < rmull> Those numbers are in bytes 09:53 < cpm> so, now folks want huge bandwidth, without dedicating the hardware to the problem? 09:53 * cpm goes back to sleep. 09:54 < rmull> lol cpm 09:54 < hulatang> the DHCP push option, for DNS what should I use? 09:55 < adie> rmull: aye, the c7 systems don't have the bus bandwidth though.. http://www.via.com.tw/en/products/processors/nano/ has very shiny specs 09:55 < vpnHelper> Title: VIA NanoTM Processor - VIA Technologies, Inc. (at www.via.com.tw) 09:55 < hulatang> the vpn server ip or internal dns ip? 09:55 < adie> if they can do a quarder of that I'd be very happy 09:58 < cpm> since you can buy a quad core box + available ram + 2 gigE nics for < $1K, , , well, , , dunno where to go with that. 09:58 < rmull> ovpn doesn't effectively multithread though, no? 09:58 < rmull> so the quad wouldn't help? 10:00 < cpm> http://openvpn.net/archive/openvpn-users/2004-08/msg00186.html 10:00 < vpnHelper> Title: Re: [Openvpn-users] 2.0 pthread support? (at openvpn.net) 10:00 < rmull> What I read about that said it didn't do much to improve stuff 10:01 < cpm> did you read the posting? 10:01 < cpm> Answer: Run multiple server mode daemon, , , , 10:01 < adie> cpm: because openvpn isn't threaded and it's on a quad core box atm 10:02 * cpm sighs 10:02 < adie> cpm: it's currently loadballencing connections accross openvpn processes. 10:02 < adie> so it'#s s limited at that 300mbit/s I keep talking about. 10:02 < cpm> sorry, I'm still not seeing this 300mbit boundry 10:03 < adie> well you get a xeon, you throw as much data down a openvpn process as possible, and you reach 300mbit/s. 10:03 < cpm> where is this boundry defined? 10:03 < ecrist> adie: can you show your math on that? 10:04 < adie> if you try to spread a single tcp/udp stream accross multiple processes with roundrobin packets, the packets get out of order and choke the connection. 10:04 < adie> ecrist: no maths, it's all practical real world benchmarking 10:05 < hawk> adie: Well, the multiple processes suggestion looked more like a way to handle lots of connections, not to achieve crazy speeds for a single connection. 10:06 < adie> hawk: yes, and that's what I'm currently doing:- roundrobing connections on the link. 10:06 < cpm> hawk, true, iow, achieve what's needed to get the job done. I personally get very bored when folks talk about needing crazy bandwidth across long distances. 10:06 < adie> I've got 100 engineers at my location, and a gig link to another location with lots of hardware down there. 10:07 < cpm> adie, I think that when you add up the overhead traffic inherent in a vpn, even if you could shove the packets down, you'd still not hit 1gig data throughput. 10:08 < adie> cpm: it's 40KM[24 miules] of fibre to a location around 2 miles away. latency isn't the issue.. it's all about computation. 10:08 < cpm> fair enough. 10:09 < cpm> but why are you dicking around with mickey mouse hardware to solve a significant infrastructure challenge? 10:09 < adie> cpm: I'm aware of all the issues, I've got other issues with a link from manchester/uk to california/us... 10:09 < adie> that's all latency related.. 10:10 < ecrist> adie: if you're running fibre like that, be a man and use commercial hardware for it. 10:10 < ecrist> if it's that big a deal, use the professional stuff. 10:10 * cpm concurrs. Purchase what you need from your bandwidth vendor. Done. 10:10 < ecrist> put two cisco PIXs in place, and run IPSec. 10:11 < adie> aye, I keep taling about that.. 10:11 < ecrist> and actually, if it's private fibre, you should be able to trust it. 10:11 < cpm> Ipsec been velly velly good to me. 10:11 * cpm is iffy on that one. even for private fibre, encapsulating it in ipsec doesn't create many problems, and removes a lot of variables. Worth doing I think. 10:11 < adie> I'm trying to battle not-so-clueful management to convince them to let me remove the crypto. they don't want to shell out for proper kit. 10:12 < ecrist> well, then tell them to deal with 300Mbit 10:12 < cpm> they don't want to shell out for proper kit for 100 developers? fuck'em. 10:12 < ecrist> you sure you're not losing packets on the glass? 10:12 < adie> nope it's all fine. 10:12 < cpm> adie, you *could* run openswan ya know. 10:12 < ecrist> can you run non-encrypted traffic at 1Gbps? 10:13 < cpm> probably. 10:13 < adie> cpm: I know.. but unfortunatly it really doesn't provide that much performance improvement, and you also can't split multiple processes over your cores, so achieve more than 300mbit total. 10:13 < adie> ecrist: yes. as I said.. it's all cpu bound 10:14 < cpm> adie, dunno, the asa's from this side of the pond have no inherent 300mbit boundry limit. 10:15 < adie> cpm: asa? 10:15 < cpm> those new all-in-one PIXes 10:15 < cpm> new-ish 10:15 < adie> ah 10:16 < adie> I'm talking about crappy x68 boxen running openvpn/other vpn software. 10:16 < adie> s/868/86/ 10:16 < ecrist> adie, use real hardware. 10:16 < ecrist> that's our official response. 10:16 < adie> :) 10:17 * plaerzen seconds that motion. 10:17 * adie would vote to ditch the crypto. 10:18 < plaerzen> Those are your options: live with 300 mbit, ditch crypto or use real hardware. (sometimes I like to summarize things) 10:18 < cpm> errr, , , , I'd have doubts. 10:18 * cpm likes crypto 10:18 < plaerzen> yeah, I do too. 10:19 < ecrist> cpm, leased glass doesn't need crypto unless you're doing certain things. 10:20 < adie> think ours is contractual 10:20 < cpm> ecrist, if it leaves my building, it leaves my control. due diligence suggests wrapping it with crypto. 10:20 < ecrist> now, if they're simply tapping into an IP network running on that glass, that's different. 10:21 < adie> we light up the glass ourselves. 10:21 * adie yawns 10:21 < plaerzen> cpm: I like that philosophy 10:22 < adie> I'm just intrested whether the new nano's have the buss bandwidth to push 1gbit. 10:22 < ecrist> I agree with the sentiment, but disagree in practice. 10:22 < adie> aye, crypting gbit is kinda expensive still :-/ 10:22 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 10:23 < ecrist> cpm: do you wear a tinfoil hat? 10:23 < ecrist> :P 10:23 < hawk> Are tinfoil hats out of fashion? 10:23 < adie> nah 10:23 < adie> I've got 3 10:24 < adie> and I'm wiv teh kool kids and run vister... ;) 10:28 < cpm> adie, well fortunately for me, in my shop, we can't buy any decent bandwidth. So, it's a non issue for me. 10:31 < ecrist> I still find it comical that your company will spend the money on a fibre lease, the termination hardware for 1Gbps, but demands crypto and won't pay for it. 10:31 < ecrist> fwiw, Cisco PIX 501s on ebay for a couple hundred bucks... 10:31 < adie> ecrist: you're not the only one who finds it comical. 10:31 < cpm> more sad than comical really. Sounds like a classic 'go look for a different shop' case. 10:32 < hawk> ecrist: Can those do Gbit vpn, then? 10:32 < adie> I'd doubt it for a 501 10:32 < cpm> bespeaks a certain prioritizing algorithm that may not be acceptable over the long run. 10:32 < hawk> "Cisco PIX 501 delivers up to 60 Mbps of firewall throughput, 3 Mbps of Triple Data Encryption Standard (3DES) VPN throughput, and 4.5 Mbps of Advanced Encryption Standard-128 (AES) VPN throughput." 10:32 < adie> the management prefer to spend the cash directly on toys for the code monkeys 10:32 < hawk> :> 10:33 * ecrist is bored with this. 10:34 * cpm is just boring 10:35 * plaerzen is excite. 10:37 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 10:39 < ecrist> apparently you're borat, too. 10:40 * ecrist throw's voip phone against wall. 10:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 10:41 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 10:42 < cpm> heh 10:42 < cpm> great stuff, that voip, ain't it? 10:43 < ecrist> voip isn't the problem today, it's the retarded dhcpclient they use on this phone. 10:43 < cpm> which phone? 10:44 < cpm> don't say grandstream. You loose points if you do. 10:48 < cpm> Anyway, you could do a gig vpn with a pair of cisco 2821s. 10:48 < cpm> if all you needed was ipsec vpn 10:48 < ecrist> cpm, I'm using Polycom SoundPoint IP 330s 10:49 < cpm> http://www.cisco.com/en/US/products/ps5880/index.html 10:49 < vpnHelper> Title: Cisco 2821 Integrated Services Router - Cisco Systems (at www.cisco.com) 10:49 < cpm> SP330s should work okay. 10:49 < cpm> unplug it. 10:49 < ecrist> they do, but the 3.0.0.0258 firmware sucks balls. 10:49 < ecrist> tried that. 10:49 < cpm> dang 10:49 < ecrist> for 5 minutes. 10:49 < ecrist> still comes up with wanting it's old address. 10:49 < ecrist> :\ 10:49 < cpm> that would piss me off really fast :) 10:50 < cpm> I hate truculent dhcp clients. 10:50 < cpm> one reason I hate windows 10:50 < cpm> can haz 192.168.0.100? 10:50 < cpm> FUCK NO! 10:50 < cpm> can haz 192.168.0.100? 10:50 < cpm> DAMNIT! NO! 10:50 < cpm> can haz 192.168.0.100? 10:50 < cpm> take 10.10.232.18 10:51 < cpm> can haz 192.168.0.100? 10:51 < ecrist> cpm http://pastebin.com/m60c1a87e 10:51 < cpm> and so forth 10:51 < cpm> grrrr, 10:51 < cpm> that really makes me angry, I'm getting angry just reading it. 10:51 < ecrist> it's been requesting it for an hour now. 10:52 < ecrist> with a pause every 10 minutes while it gives up and reboots, only to start over again. 10:52 < ecrist> even tried a factory reboot. 10:52 < ecrist> s/reboot/default/ 10:52 < cpm> sounds like some flash disciple is required. 10:52 < plaerzen> cpm, you just made my day. 10:52 < cpm> grab another one from the closet, toss that one off the roof. 10:53 < ecrist> what pisses me off is I just RMAd one phone for an issue which may be related. 10:53 < cpm> polycomm have a newer firmware? 10:53 < ecrist> no, that's the latest. 10:53 < ecrist> this issue has been quickly escalated to 'engineering' 10:54 < cpm> can you downgrade it? 10:54 < ecrist> nope 10:54 < cpm> crap 10:54 < ecrist> very specifically the 2.x to 3.x fireware is not undoable. 10:54 < ecrist> if that's a word. 10:54 < cpm> what switch software? 10:55 < ecrist> our VOIP provider is IronVoice, using asterisk. 10:55 < cpm> how U pushing your configs? 10:55 < ecrist> our provider does that for us. 10:55 < cpm> one of them outsourced deals eh? 10:56 < cpm> hows that work for you generally? 10:56 < plaerzen> that tcpdump on pastebin. laughter. 10:56 < plaerzen> or logs, w/e 10:58 < cpm> plaerzen, yeah, i can't look at it. 10:58 < cpm> really, I get seriously pissed off (angry) when that happens. I really don't like computers some times. Most of the time, yes. 11:02 < plaerzen> Soon I will have to deal with that. 11:03 -!- abien [n=abien@watergate.tradehaven.de] has quit ["ircN 8.00 for mIRC (20080313) - www.ircN.org"] 11:04 < plaerzen> what do you guys use for gateways in your shops? ( adie can ignore this one - we have like 30 employees) 11:06 < adie> lol 11:10 < cpm> gateway? 11:10 < cpm> adie, you get my push on the cisco 2821 router? 11:10 < adie> cpm: ?? 11:11 < plaerzen> cpm: yeah, like what would be a good appliance for a smaller shop that can do routing, vlan administration, etc. crisco pix ? 11:11 < adie> erm, aye that should be fine. 11:11 < cpm> err, krisko asa, or maybe astaro 11:12 < adie> I find our linux and freebsd boxen good enough for that. 11:12 < cpm> asa is an all-in-one, a pix, is basically a vpn 'server'. 11:12 < plaerzen> adie: I want something purpose-made with some redundancy 11:12 < adie> cpm: a pix is a horrible firewall which is cisco supported and has hardware crypto 11:13 < adie> we're running vrrp between boxen 11:13 < cpm> krizko asa, or astaro. the astaro is a linux kludge box w/support contracts, 'simple boss friendly UI' (which is a lie of course, you still need clues) 11:13 < cpm> adie, as a firewall, the pix is a fail. 11:13 < cpm> :) 11:13 < adie> but aye, I'd prolly go for a pix personally. 11:13 < cpm> as a vpn endpoint, it ain't bad. 11:13 * adie has had too many smtpfuckup issues with pixes 11:13 < cpm> but like so many other things, depends a lot on who set it up. 11:14 < adie> we virtually never have issues with our pixes 11:14 < cpm> yup, the smtpfuk on the pix is a bad one. 11:14 < cpm> 1) adie has had too many smtpfuckup issues with pixes 11:14 < cpm> 2) we virtually never have issues with our pixes 11:14 < cpm> which is true? 11:15 < adie> mainly other peoples pixes running smtpfuckup 11:15 < adie> but that was when I used a lot of them in the isp world 11:15 < adie> we have pixs to running ipsec to other locations which are fine.. just leave them be :) 11:16 < cpm> http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd8048dba8.html 11:16 < vpnHelper> Title: Cisco ASA 5500 Series Firewall Edition for the Enterprise Solution Overview [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems (at www.cisco.com) 11:16 < cpm> ipsec as vpn endpoints, what did I say? 11:16 < cpm> I can't remember. 11:16 < adie> for gbit gets expensive :-/ 11:16 < cpm> or rather pix as ipsec vpn endpoints, 11:17 < cpm> quite so. 11:17 < cpm> but, the 2821 with the security module, appears to do what you need. 11:19 < cpm> but for plaerzen, , , well, if I was going to buy such a product, I'd get either an ASA or an Astaro, with the weight on the ASA, as that experience translates well into the future. Not many folks making their bread and butter on managing Astaro (similar) firewalls. 11:19 < cpm> whereas I've never 'learned' something on a piece of cisco gear, that didn't come in handy later. 11:21 < cpm> http://www.astaro.com/our_products/astaro_security_gateway/hardware_appliances 11:21 < vpnHelper> Title: Astaro Security Gateway Hardware Appliances - All-in-One Unified Threat Management Solutions for Complete Network Security, Web Security and Mail Security (at www.astaro.com) 11:30 < plaerzen> ah sweet, I go for a coffee and come back to some reading material. 11:34 < cpm> things about astaro that really piss me off. When they first started to act like they were going to get into the game, and invited the 'community', I -idiot that I am- got involved. 11:34 < cpm> they did a pretty fair job of packaging openswan 11:34 < cpm> I pushed for openvpn, then in the 1.x days 11:35 < cpm> one of their chief developers sent me a really snarky email stating that ssl web vpns aren't true vpns and they would not support them as such. 11:35 < cpm> I got a big case of 'wtf?' 11:36 < cpm> now, of course, they've wrapped openvpn in their secret sauce, calling it 'Astaro SSL VPN'. 11:36 < cpm> doing their level best to hide the openvpn core. 11:36 < cpm> that -imho- sucks. 11:38 < plaerzen> yeah 11:39 < plaerzen> I would be slightly upset 11:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 110 (Connection timed out)] 11:40 -!- plaerzen is now known as AstaroSpy 11:41 -!- AstaroSpy is now known as plaerzen 11:41 < cpm> it's quite cost competitive to the ASA, and it does work as advertised. I've worked on'em before. 11:41 < cpm> I don't really hate the actual product. The company irritates me. 11:46 < plaerzen> I'm definately going to look into it 11:54 < ecrist> I'm a little disappointed, guys. 11:55 < ecrist> ever since I went on a rampage a month ago because of all the fuck-heads in here, none of them have shown back up, worth of the banhammer. 11:55 * ecrist sobs. 11:56 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:57 < ecrist> worthy* 12:05 < cpm> If I had the energy, I'd try to get banned, but I just don't have it in me. 12:05 < cpm> maybe I'll try later. 12:28 * plaerzen sighs 12:28 < plaerzen> time to go to the client site... be back later, if I don't suicide. 12:54 < ecrist> lol 12:55 < cpm> n'joy 12:55 < ecrist> cpm: I don't know why, but that phone finally pulled it handset out of it's data port and started working with DHCP again. 12:56 < cpm> good 13:02 -!- hulatang [n=hulatang@216.129.199.133] has left ##openvpn [] 13:02 < ecrist> and, fwiw, I got the dhcp options stuff setup so that it gets a specific IP address based on manufacturer 13:11 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:12 -!- fer_luck [n=fer_luck@201-88-32-138.cbace700.e.brasiltelecom.net.br] has joined ##openvpn 13:12 < fer_luck> hi guys! :-) 13:13 < ecrist> just fer_luck. 13:13 < ecrist> lol 13:13 < ecrist> how goes? 13:13 < fer_luck> ecrist: fine, what about you? 13:13 < ecrist> peachy 13:13 < ecrist> as soon as my boss' wife falls of the planet. 13:13 < ecrist> :\ 13:14 < fer_luck> hehe.. that's good I guess. :-D 13:14 < fer_luck> well.. I need some help.. I'm stuck. :-) 13:14 < fer_luck> I have a vpn running already, over pfsense 13:14 < fer_luck> I have three pfsense boxes connecting two branch offices to the hq... 13:14 < ecrist> ok. 13:15 < fer_luck> I did one vpn to connect the hq to branch 1.. and another to connect branch 1 to branch 2 (as I couldn't route between the two branches only using the hq vpn.. forgive me if I'm mistaken with this) 13:15 < ecrist> continue 13:16 < fer_luck> now the problem is.. when I try to access a windows share by using either unc or the ip address, I can access it from branch 1 to hq.. also I can do that from branch 2 to branch 1.. but from branch 1 to branch 2 it's not working.. :-/ the weird thing is that if I try to access the machine throught the httpd server contained in there, it works, so it's resolving the machine from 1 to 2.. just accessin the share doesn't wo 13:17 < ecrist> can you drawn it out and post it somewhere? 13:18 < fer_luck> I can. hold on. 13:20 < fer_luck> ecrist: you mind if I just post one ascii schematic? 13:21 < ecrist> sure, that's fine 13:22 < fer_luck> ecrist: http://pastebin.com/d171fdb4a 13:22 < fer_luck> I think it should work with only one vpn connection between the branches and the hq.. but I couldn't get it to work by the time, so I decided to do it the way it worked. :-( 13:23 -!- mode/##openvpn [+o ecrist] by ChanServ 13:24 -!- ecrist changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release: 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copies over 5 lines. | Don't feed the trolls. 13:24 -!- mode/##openvpn [-o ecrist] by ecrist 13:25 < ecrist> fer_luck: there's a couple ways to tackle your problem. 13:25 < ecrist> 1) have one VPN server at the HQ, route everything there. 13:25 < fer_luck> Hmm.. good.. :-) How can I begin? 13:26 < fer_luck> That's what I intended to do at first.. but won't it be kinda slow to route from branch 1 to branch 2? 13:26 < fer_luck> and cause overhead on hq? 13:26 < ecrist> 2) have a VPN server at each location, with each location connnecting to eachother for direct routes (saves bandwidth at HQ for connections between two remote sites 13:27 < ecrist> right, so, you install an Open VPN server at each location, then each other location has a VPN connnection to it. 13:27 < ecrist> well, you'd actually only need two servers for three locations. 13:27 < fer_luck> ok.. so you think it might be the structure I did that makes it slow? 13:27 < fer_luck> sorry 13:27 < fer_luck> not work 13:32 < ecrist> http://skitch.com/ecrist/u76w/untitled 13:32 < vpnHelper> Title: Skitch.com > ecrist > Untitled (at skitch.com) 13:33 < fer_luck> ecrist: I guess that's how it is already 13:33 < ecrist> ok, so what's wrong with that? 13:33 < ecrist> set it up so that each site gets a static IP, set routing table so that the subnet at each site is routed to the static VPN IP address. 13:34 < ecrist> in that diagram, HQ and Site 1 have a VPN server. 13:34 < ecrist> HQ serves for site 1 and site 2, site 1 serves for site 2. 13:35 < fer_luck> that's how it is.. I can access branch 1 from branch 2 using other protocols.. but when on (argh) windows I do a \\192.168.3.250 it cannot gives me a no network provider accepted the given network path 13:36 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:37 < ecrist> sounds like a routing issue. 13:39 < fer_luck> hmmm.. if I traceroute from one location to the other it works 13:39 < ecrist> ok, so what's broken? 13:40 < fer_luck> it just don't open the share on windows.. I don't know what's going wrong with this.. as it's not neither a dns or routing issue 13:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 13:41 < ecrist> fer_luck: windows sharing doesn't work very well across subnets. 13:41 < ecrist> however, if it's not routing, could be firewall 13:41 < fer_luck> hmmm.. I guess I figured what's going on... 13:42 < fer_luck> let me just check if it is really that.. hold on. :-) 13:44 < fer_luck> ecrist: figured what's wrong 13:44 < fer_luck> :-) 13:45 < ecrist> what was it? 13:45 < fer_luck> the problem is.. I was trying to print using the dlink print servers this customer has... 13:45 < fer_luck> one print server module acts as a smb host, the other just has http printing capabilities.. :-O 13:45 < fer_luck> dumb me.. :-S 13:49 < fer_luck> that's very strange.. 13:52 < fer_luck> well. thanks guys.. :-) 14:17 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 14:34 -!- near [n=near@88-122-21-114.rev.libertysurf.net] has quit [] 14:35 < cpm> This must be thursday 14:35 < cpm> I never could get the hang of thursdays 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 < plaerzen> back from lunch 14:52 < plaerzen> had a several beers. 14:55 < plaerzen> now I'm happy 15:16 < plaerzen> harro? 15:19 -!- Whoopie_ is now known as Whoopie 15:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:02 < Optic> mooo 16:19 -!- fer_luck [n=fer_luck@201-88-32-138.cbace700.e.brasiltelecom.net.br] has left ##openvpn [] 16:40 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 16:49 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has joined ##openvpn 16:54 < plaerzen> moo 16:56 < plaerzen> ok, see ya folks monday 16:56 * plaerzen waves. 17:12 -!- sega01 [n=sega01@2001:470:8:29:250:4ff:fe20:dbc4] has quit ["leaving"] 17:22 -!- bandini [n=bandini@host169-105-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:01 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 18:19 -!- ggeller [n=sdlinuxg@dsl017-112-098.lax1.dsl.speakeasy.net] has joined ##openvpn 18:22 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: epsilon, kala, Bheam, plik, steve, djs 18:22 -!- Netsplit over, joins: steve, djs, plik, Bheam, kala, epsilon 18:59 -!- ggeller [n=sdlinuxg@dsl017-112-098.lax1.dsl.speakeasy.net] has quit ["Ex-Chat"] 19:21 < ecrist> evening, folks 19:39 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 21:02 * ecrist waves back. 21:50 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 21:51 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has quit [Read error: 60 (Operation timed out)] 21:51 -!- Whoopie_ is now known as Whoopie 23:41 -!- dmz [n=dmz@12.149.3.162] has joined ##openvpn --- Day changed Fri Aug 22 2008 00:42 -!- dmz [n=dmz@12.149.3.162] has left ##openvpn ["Leaving"] 01:57 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 02:04 < kraut> moin 02:54 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 04:11 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 05:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:20 -!- gallatin [n=gallatin@dslb-092-072-075-163.pools.arcor-ip.net] has joined ##OpenVPN 06:41 -!- gallatin [n=gallatin@dslb-092-072-075-163.pools.arcor-ip.net] has quit ["Client exiting"] 07:07 < ecrist> howdy, folks. 07:18 < cpm> lo 07:27 < kala> which of the X.509 EKU Extensions make more sens for OpenVPN servers and clients, id-kp-ipsecEndSystem or id-kp-serverAuth and id-kp-clientAuth ? 07:27 < kala> I'm trying to design the certificate templates for these 07:28 < kala> and it seems that I can verify those EKU's in the OpenVPN config file 07:30 < kala> because OpenVPN is not really IPSEC ... SSL server and client certificates seems to more appropriate 07:32 < cpm> OpenVPN isn't IPSec at all. 07:32 < kala> oh, RFC4945 declares that id-kp-ipsecEndSystem is obsolete anyway 07:36 < kala> ok. but another thing. How do I verify that server or clients' certificate is given out from specific OU? 07:37 < kala> --tls-remote verifies the CN value or the whole Subject value 07:38 < kala> so, the only way is to write a custom script and use --tls-verify ? 08:35 -!- svenx [n=sveniu@pat-tdc.opera.com] has joined ##openvpn 08:36 < svenx> nice. www.secure-computing.net uses a self-signed cert? :) 08:38 < svenx> anyway, i'm thinking about split dns, or dns hijacking. the infamous cisco client has a feature where you can specify for which domains dns requests are to be forwarded to the DNS server through the tunnel 08:39 < svenx> so, i can configure the client to forward all DNS queries for the example.net domain to a separate DNS server, provided by the VPN server. the rest will go to the client's own/local DNS 08:40 < svenx> is there any facilities for this in openvpn? it seems it is not, so either all queries go through the tunnel, or none of them do (and you'll have to resort to using ip addresses) 08:41 < cpm> svenx, I fiddled about with pushing resolver to the vpn clients, to a bind server that was specific to the vpn lan, which was a dmz. That worked okay. Not too sure what you needing to do. 08:42 < ecrist> serverauth/clientauth 08:43 < ecrist> svenx: if you want to buy me a certificate, you're welcome to do so. 08:44 < svenx> cpm: i was just thinking it's a good idea to keep the relevant tunnel traffic in the tunnel, so i won't get the client's other data into my net. just for the sake of cleanness 08:44 < svenx> i.e. i don't want to resolve all his requests for slashdot.org and localnewspaper.net 08:44 < ecrist> svenx: imho, DNS isn't that big an issue. 08:44 < svenx> but it seems that's the simplest way anyway. right 08:45 < svenx> ecrist: sorry, self signed is fine :) 08:45 < ecrist> where I work, we actually make all our DNS public, so we don't have to push DNS server. 08:45 < ecrist> we're a pretty small network, though. 08:47 < ecrist> conversely, I wouldn't see DNS requests as such a big deal, if you do caching and such. Not exactly a high-bandwidth service. 08:47 < svenx> agreed 09:32 < pUmkInhEd> hrm, so i ask your dns server for exchange.yourdomain.com and your dns server spits back 192.168.100.100 ? 09:33 < pUmkInhEd> even better, ask it for exchange.yourdomain.local lol 09:33 < pUmkInhEd> svenx: i think what you want to do is push the connection-specific-suffix 09:34 < pUmkInhEd> push "dhcp-option DOMAIN mydomain.local" 09:34 < pUmkInhEd> and also push a dns server, push "dhcp-option DNS 10.0.0.x" 09:35 < pUmkInhEd> then when clients try to resolve comp.mydomain.local it will use that dns server... 09:35 < pUmkInhEd> or does that redirect ALL dns requests.... not sure, but i know it works 09:37 < svenx> that's the search domain, so when clients enter unqualified hostnames, like 'webserver', it will first append 'mydomain.local' before querying the dns server 09:39 * cpm *really* wishes folks would NEVER EVER use the .local suffix for anything outside of 127/8 09:40 < ecrist> will someone debug my kernel, please? 09:41 < ecrist> pUmkInhEd: no, we have real IPs for most things. 09:42 < ecrist> the vast majority are firewalled, however. 09:44 < cpm> what's wrong with yer kernel? 09:44 < ecrist> http://pastebin.com/m4788a979 09:46 < cpm> ick. 09:46 * cpm runs away 09:48 < cpm> how old is this kernel? 09:48 < cpm> what source tree? 09:50 < ecrist> freebsd 7.0-RELEASE 09:50 < ecrist> patch 3, too. 09:50 < ecrist> FreeBSD leopard.claimlynx.com 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #1: Tue Jul 15 13:53:28 CDT 2008 root@leopard.claimlynx.com:/usr/obj/usr/src/sys/GENERIC i386 09:50 < ecrist> not very old. 09:51 < cpm> No, not very. 09:51 < cpm> Might take it to the freebsd list. 09:51 < cpm> or, swap that ram out :) 09:52 < ecrist> cpm, it's not ram 09:52 < kala> a proposal for a patch. currently tls-remote checks strictly, if (strcmp (opt->verify_x509name, subject) and so, you cannot check just the first part of the Subject Name and you are forced to write a custom script. It would be nice to use strncmp (opt->verify_x509name, subject, strlen (opt->verify_x509name) == 0 check, this way you could specify part of Subject Name and still get a match :) 09:52 < cpm> probably not. But that's always my default when you have some uptime and the kernel just decides to vomit. 09:53 < cpm> and more than once, I've made panics go away by replacing the ram. 09:53 < cpm> heck, I've made'em go away by reseating the ram and cpu. 09:53 < cpm> I think folks take hardware for granted. and expect that if it works, it is without flaw. 09:54 < cpm> which is not true. 09:54 < ecrist> cpm, here's the back story. that's our backup server. we off-load to a usb drive, which gets rotated weekly (two drives). 09:55 < ecrist> one drive has no problems, when I use the other drive, it gets all crashy. 09:55 < cpm> replace the drive. 09:55 < ecrist> I don't see any major problems with the drive, though. 09:55 < cpm> you don't see a problem when you connect it, it crashes your server? 09:55 < ecrist> I can format it, and I can do a dd if=/dev/random of=/dev/usbdrive all day without problems. 09:55 < cpm> but when you connect it, it crashes your box 09:56 < ecrist> no, it doesn't immediatly crash, only during heavy writes (I think) 09:56 < cpm> hrmmm, but not with the other drive? 09:56 < cpm> are these in drive enclosures? or are you swapping the drive out of the same enclosure? 09:57 < ecrist> different drive enclosures. 09:58 < ecrist> durr, don't know why I didn't try changing the enclosure. 09:58 < cpm> swap the drives around in the enclosures, see if the crash follows the drive, or the enclosure. SOLVE. 10:20 < ecrist> I want to kick half of the slashdot user base's ass right now. 10:28 < ecrist> lol, startssl.com crashes safari 10:33 < kala> OpenVPN cannot download CRL file by himself and cannot use OCSP, right? 10:37 < ecrist> it needs to have a current CRL available on the filesystem. 10:38 < kala> right 10:43 < kala> perhaps can I do the download in the --ipchange or --route-up script? 10:55 < kala> no, the correct place should be tls-verify script 10:58 -!- dmarkey [n=dmarkey@nat/ibm/x-294c1f9d2daf96a9] has quit [Remote closed the connection] 11:00 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 11:25 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:45 < ecrist> kala: the CRL is only useful to the server, not the clients. 12:07 < kala> certainly more useful to the server, than clients :) 12:08 < kala> it seems that one could perhaps hack a OCSP verifier with an OpenSSL "ocsp" command 12:09 < ecrist> what are you trying to do, exactly? 12:09 < kala> work out a large-scale OpenVPN installation 12:09 < kala> 500-2000 clients, many servers 12:09 < kala> with corporate CA and stuff :) 12:09 < ecrist> oh, cron that 12:10 < ecrist> fetch "URI://to-our-crl" 12:10 < ecrist> once an hour or something. 12:10 < kala> yep, it makes sense to cache the file on the server side. 12:10 < ecrist> and, to top that, in your CA signing scripts, have a routine which pushed the new CRL to the OpenVPN servers. 12:10 < ecrist> or, NFS mount a small directory which contains the CRL. 12:10 < ecrist> to each OpenVPN server. 12:11 < kala> yep, that might be possible too 12:11 < kala> the CA is Microsoft CA though :) 12:13 < ecrist> so waht? 12:13 < ecrist> what* 12:13 < ecrist> Windows can still be scripted. 12:15 < ecrist> why is it so damn quiet in here today? 12:23 < Optic> cause i'm busy at work :) 12:23 < Optic> hehe 12:28 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Read error: 101 (Network is unreachable)] 12:53 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has joined ##openvpn 12:53 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has joined ##openvpn 13:00 < j_nwb> hi guys, is it possible to bridge the openvpn connection at the client end ? i.e multiple machines on the client n/w can get openvpn address ? (In particular I am looking form making virtual machines running on client machine to obtain ip address from the openvpn interface not the local (client) network.) 13:01 < ecrist> sort of 13:01 < j_nwb> so on the client I want to create vpn-bridge and add the tun0 interface to it. After that I can direct the VMs to use the bridge and hence get ip address via tun0. 13:02 < ecrist> don't have openvpn do the IP assignment - do that with a DHCP server sepearate from OpenVPN 13:02 -!- thomas [i=tm@tm.muc.de] has joined ##openvpn 13:02 < thomas> hello! 13:02 < thomas> peoples here? :-( 13:03 < j_nwb> but I am allowing client-client on the openvpn.. so.. what I am trying to do is to allow VMs at all client location to be on "openvpn network" 13:03 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:04 < thomas> have a openvpnserver and a client, works both perfect. now i would like if i go to myexternip (example 111.111.111.111)eth0 and port 5500 then redirect to 10.55.0.2 port 80 tap0 13:04 < thomas> is it posible? 13:05 * cpm falls over 13:05 < thomas> cpm: hm? 13:06 < j_nwb> ecrist: where do u suggest the dhcp should live ? openvpn server n/w, I guess.. but I do not know how does this help ? 13:06 < thomas> have tried this: iptables -t nat -A PREROUTING -p tcp --dport 5500 -j DNAT --to 10.55.0.2:80 13:06 < thomas> bot doesnt works 13:07 < thomas> from lokal (10.55.0.1 (the vpnserver)) i have access to 10.55.0.2:80 13:07 < thomas> ideas? 13:08 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has quit [] 13:15 * ecrist figures out what categories are in mediawiki and feels like a genius. 13:16 < thomas> ecrist: can you help me please? 13:16 < ecrist> j_nwb: what you need then, is an openvpn client installed on each machine connecting. 13:16 < ecrist> otherwise, you need to fix your routing. 13:17 < ecrist> thomas: it is possible, I don't know iptables, though, as linux sucks balls, so try pf. 13:17 < ecrist> :P 13:17 < thomas> ecrist: I would like forward a port to the openvpn client. 13:17 < ecrist> thomas: you can do that, but it's not really in the scope of this chan. 13:18 < thomas> hm ok 13:18 < thomas> thx 13:18 < ecrist> we can try to help you, but I don't think anyone here's an expert at iptables. 13:33 < j_nwb> ecrist : Thanks I will think it that way... can I use bridge on the client side and tap inerface and not have to think about routing ? 13:53 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has joined ##openvpn 13:56 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:58 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 13:58 < Dougy> Hi there 13:59 < Dougy> I have OpenVPN set up on my server and I have 2 clients, and I'm using 172.16.0.0/29 13:59 < Dougy> Both the clients when connecting, I see this: 13:59 < Dougy> Fri Aug 22 14:55:03 2008 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.255.0,route 172.16.0.0 255.255.255.248,ping 10,ping-restart 120,ifconfig 172.16.0.6 172.16.0.5' 13:59 < ecrist> j_nwb: yes 13:59 < Dougy> They both get the same IP. 13:59 < Dougy> Why is it doing that? 13:59 < ecrist> Dougy: are they both using the same client certificate? 14:00 < ecrist> also, it would help if you could paste your client and server configs 14:00 < Dougy> client configs are identical except for the name of the cert they are using 14:00 < Dougy> ecrist: client 1 uses client1.crt and client2 client2.crt 14:01 < ecrist> Dougy: the filename doesn't matter. 14:01 < ecrist> are they actually different certificates? 14:02 < Dougy> yes 14:02 < Dougy> I did ./build-key client1 and ./build-key client2 14:02 < Dougy> can I PM you a link to the config, I'd prefer not to share my site + IP with the world 14:03 < Dougy> ? 14:04 < rmull> ecrist cannot be trusted 14:04 < Dougy> :< 14:04 < ecrist> :P 14:05 < Dougy> http://thrian.douglashaber.com/server.conf 14:05 * ecrist looks 14:06 < ecrist> that link isn't working. 14:06 < ecrist> :\ 14:06 < Dougy> it works for me 14:06 < Dougy> :S 14:06 < Dougy> what error do you get 14:06 < ecrist> Safari can't open the page "http://thrian.douglashaber.com/server.conf" because it can't find the server "thrian.douglashaber.com". 14:06 < rmull> Does not work for me either, address not found 14:06 < Dougy> strange 14:06 < rmull> ffox3 14:06 < ecrist> it's not a browser problem, isn't a firewall/DNS issue. 14:06 < ecrist> pastebin ftw 14:07 < Dougy> its something i did with the dns server 14:07 < Dougy> hold on 14:07 < Dougy> chances are it may work now 14:07 < Dougy> either way 14:07 < rmull> Dougy: Just pastebin.ca and replace your IPs/names with fake ones if you want 14:07 < Dougy> paste binning 14:07 < ecrist> still no worky 14:07 < Dougy> meh 14:07 < Dougy> ill fix soon 14:07 < Dougy> http://rafb.net/p/rhl8qs53.html 14:07 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:09 < ecrist> ooh, itunes found my "Team America" sound track. 14:09 < Dougy> lol 14:09 * ecrist listens to "The End of an Act" 14:10 < Dougy> I probably did something wrong with the config 14:11 < ecrist> I miss you more than Michael Bay missed the mark, 14:11 < ecrist> When he made Pearl Harbor. 14:11 < ecrist> I miss you more than that movie missed the point, 14:11 < ecrist> And that's an awful lot . 14:12 < ecrist> hrm, the routing is your issue, I think. 14:12 < ecrist> You're assigning the server 172.16.0.0/29, but pushing 172.16.0.0/24 14:14 < Dougy> er 14:15 < Dougy> let me try fixing 14:15 < ecrist> :) 14:15 < Dougy> i doubt that'll fix it but he 14:15 < Dougy> y 14:15 < Dougy> I need to edit the push line then ecrist 14:16 < ecrist> yes 14:16 < ecrist> why are you pushing the class c? 14:16 < ecrist> is that the address space your LAN uses? 14:16 < Dougy> I felt like it 14:16 < Dougy> I only really need a /29 14:16 < ecrist> oh, then remove the whole line 14:17 < ecrist> no push 14:17 < ecrist> and, tbh, that /29 doesn't give you a lot of breathing room. 14:17 < ecrist> actually, it doesn't give you any breathing room. 14:18 < Dougy> What od you suggest 14:18 < Dougy> do* 14:18 < Dougy> And, still both get .6 14:18 < Dougy> they get .6 and PTP of .5 14:19 < ecrist> open that subnet up to a /28 14:19 < ecrist> try again. 14:19 < ecrist> a /29 doesn't have enough room for 2 clients 14:20 < Dougy> done 14:20 < Dougy> well 14:20 < Dougy> set to a /28 14:20 < Dougy> connecting clients now 14:20 < Dougy> still both get .6 14:20 < ecrist> I should've noticed the subnet issue earlier, sorry. 14:20 < ecrist> did you restart the openvpn server? 14:20 < Dougy> yes 14:21 < ecrist> can I see new config, please? 14:21 < Dougy> just before i do that 14:21 < Dougy> each client reports tihs: 14:21 < Dougy> Fri Aug 22 15:20:18 2008 route add -net 172.16.0.0 netmask 255.255.255.240 gw 172.16.0.5 14:21 < Dougy> Fri Aug 22 15:20:18 2008 Initialization Sequence Completed 14:21 < Dougy> Fri Aug 22 15:20:18 2008 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.255.240,ping 10,ping-restart 120,ifconfig 172.16.0.6 172.16.0.5' 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < Dougy> ecrist: http://rafb.net/p/bJeHTX19.html 14:22 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:25 < ecrist> running openvpn on ns2.douglashaber.com, eh? 14:25 < Dougy> yep, same box as ns2 14:25 < Dougy> (till i get it working) 14:25 < Dougy> o.O 14:26 < ecrist> remove your ipp.txt line (line 103) 14:26 < ecrist> restart, bake at 350 for 1/2 hour 14:26 < Dougy> haha 14:26 < Dougy> anything else ecrist 14:26 < ecrist> nope, try that. 14:26 < ecrist> you do webhosting out of your home? 14:27 < Dougy> same thing 14:27 < Dougy> no, why? 14:27 < ecrist> just curious. you got a /29? 14:27 < ecrist> or is that a colo? 14:27 < Dougy> Er maybe I'm not getting hte whole vpn thing o.O 14:28 < Dougy> I thought it was a private network 14:28 < Dougy> like I don't need the actual /29 14:28 < Dougy> o.O 14:28 < Dougy> just one ip 14:28 < ecrist> did you restart? 14:28 < ecrist> the Openvpn server daemon? 14:28 < Dougy> yes 14:29 < Dougy> every time i get the .6 on both, i kill all 3 (2 clients + server) 14:29 < Dougy> until you give me something new to d 14:29 < Dougy> do* 14:29 < ecrist> can I see the server logs? 14:29 < Dougy> er 14:29 < Dougy> if i can find them 14:29 < ecrist> what OS? 14:29 < Dougy> or do you mean when i run openvpn server.conf 14:29 < Dougy> Cent5 14:29 < Dougy> (for the server) 14:29 < ecrist> yes, when you run openvpn server.conf 14:30 < Dougy> I am definitely pm'ing oyu this 14:31 < ecrist> ok 14:31 < ecrist> I already know your IPs. :D 14:32 < Dougy> yeah i know 14:32 < Dougy> lol 14:33 < ecrist> rolf: http://www.theonion.com/content/news/michael_phelps_returns_to_his_tank 14:33 < vpnHelper> Title: Michael Phelps Returns To His Tank At Sea World | The Onion - America's Finest News Source (at www.theonion.com) 14:33 < Dougy> hah 14:33 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 14:34 < ecrist> Dougy: the problem is that both client certificates are the same. 14:34 < Dougy> wtf 14:34 < Dougy> I told you what I did :S 14:35 < Dougy> -bash-3.2# history | grep build-key 14:35 < Dougy> 224 ./build-key-server server 14:35 < Dougy> 225 ./build-key client1 14:35 < Dougy> 226 ./build-key client2 14:35 < Dougy> 272 history | grep build-key 14:35 < Dougy> -bash-3.2# 14:35 < ecrist> hrm 14:35 < Dougy> client1 is my server, client2 is my laptop 14:35 < ecrist> do yo have logs where both clients connect? 14:35 < Dougy> i can try to get them again 14:35 < ecrist> wait 14:36 < ecrist> is your server trying to connect to itself? 14:37 < Dougy> no 14:39 < Dougy> okay 14:39 < Dougy> so that's got to be it 14:39 < Dougy> so i can make it like 14:39 < Dougy> vpn1.domain.com 14:39 < Dougy> and vpn2.domain.com 14:39 < Dougy> ? 14:39 < ecrist> if you add duplicate-cn to your config, it will work OK. 14:39 < Dougy> i'll resign them since i already rm -rf'd it 14:39 < ecrist> with the same certificate 14:39 < Dougy> haha 14:40 < Dougy> can i do vpn1. and vpn2.domain.com for the common name 14:40 < Dougy> like will that work 14:40 < ecrist> sure 14:40 < ecrist> as long as they're different. 14:40 < Dougy> what about common name for servre and the ca cert 14:40 < Dougy> can they be the same? 14:40 < ecrist> yes, that doesn't really matter 14:40 < ecrist> in these regards, that is 14:40 < Dougy> just the clients? 14:41 < Dougy> for common name, can it be like "John Doe" and "Jane Doe" 14:41 < Dougy> or is it one word 14:42 < ecrist> you can have spaces. 14:42 < ecrist> like I said, you can just hand out one certificate, if you add duplicate-cn to your config. 14:42 < ecrist> the downside is you can't remove a single client, then, you have to revoke them all. 14:42 < ecrist> unless you're using a secondary authenticate token. 14:43 < Dougy> yeah 14:43 < Dougy> im already resigning them 14:46 * ecrist <3 The Onion 14:46 < ecrist> Due to a deadline, The Onion had to make an educated guess on how the runoff election for Rockwell County supervisor ended last night. The guess turned out to be wrong, but the article was in on time. 14:47 -!- pred2k5 [n=Torsten@dslb-088-069-220-255.pools.arcor-ip.net] has joined ##openvpn 14:47 < pred2k5> hi, how to create certificates, when I only have ca.crt ca.key? 14:48 < pred2k5> he complais about index.txt 14:48 < pred2k5> and serials 14:48 < ecrist> http://openvpn.net/howto.html#pki 14:48 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 14:49 < ecrist> *or* download my ssl-admin script, and your world will be a happier place. 14:49 < pred2k5> ssl-admin script? 14:49 < pred2k5> I do it with easy-rs 14:49 < pred2k5> a 14:50 < pred2k5> I also have dh1024 14:50 < ecrist> pred2k5: read the link i gave above. 14:50 < pred2k5> doing so 14:50 < ecrist> easy-rsa sucks balls, fwiw. 14:51 * ecrist should've called ssl-admin easier-rsa 14:51 < Dougy> im trying it now ecrist 14:51 < ecrist> trying what? 14:52 < Dougy> yay 14:52 < Dougy> one client got .6 one got .10 14:52 < Dougy> o.O 14:52 < Dougy> Why is there a .4 difference 14:52 < ecrist> grats 14:53 < ecrist> Dougy: OpenVPN <2.1 creates a series of /30 subnets for each client, and one for the server. 14:53 < pred2k5> cant find the solution 14:53 < ecrist> so, a /29 doesn't have room for more than 1 client (/30 for server, /30 for one client = 8 ips) 14:53 < ecrist> pred2k5: look harder, or read the help in easyrsa. 14:53 < ecrist> or use ssl-admin 14:53 < ecrist> !ssl-admin 14:53 < vpnHelper> ecrist: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:54 < pred2k5> I thout ssl admin is the same as easyrsa 14:54 < Dougy> oh. 14:54 < ecrist> pred2k5: no, it does some of the same, but it's in perl, and better. 14:54 < Dougy> So if I want 5 clients 14:54 < Dougy> I basically need a /27 14:54 < ecrist> Dougy: just do a /24 and call it good. 14:54 < pred2k5> so 2.1 doesnt create one for server and one for client? 14:55 < ecrist> no, it's got a way to do /32 subnetting. 14:55 < ecrist> or is it /31 14:55 < ecrist> but, it doesn't need to do a series of /30s. 14:58 < ecrist> l8r, kids, I go to work on my truck. 14:58 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 15:00 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 15:01 < Optic> moo 15:02 < pred2k5> should be one command, or why do you give me a link? 15:10 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has joined ##openvpn 15:13 < Dougy> Btw, thanks ecrist (when you get back you'll see) 15:24 < pred2k5> where to get ssl-admin.pl ? 15:26 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] 15:28 -!- pred2k5 [n=Torsten@dslb-088-069-220-255.pools.arcor-ip.net] has quit [] 15:29 < Dougy> google it 16:25 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 16:32 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:22 < krzee> !iroute 17:22 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. ccd entries are basically included into server.conf, but only for the specified client, so when the network is behind a client the iroute goes into the clients ccd entry. 17:53 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 18:06 < Dougy> goin home 18:19 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has joined ##openvpn 18:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:35 < undertakingyou> Question for any who will answer: I am using OpenVPN on a pfsense firewall. When Client1 connects it is given ip address 10.0.4.6, which makes sense. When Client2 connects it is given the address of 10.0.4.6, and then will not stay connected. Is there a trick around this? 18:49 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa, krzy, plaerzen, adie, kaynine, mcp 18:52 < ecrist> yes 18:52 < ecrist> either 1) use different client certificates 18:53 < ecrist> or 2) add duplicate-cn yes to your config and restart openvpn 18:53 -!- Netsplit over, joins: pa, adie, plaerzen, krzy, mcp, kaynine 18:56 < undertakingyou> This link the guy has the same problem: http://openvpn.net/archive/openvpn-users/2004-10/msg00156.html But there is no answer because of PHP errors. 18:56 < vpnHelper> Title: [Openvpn-users] Multiple clients with the same ip address (at openvpn.net) 18:56 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa, krzy, plaerzen, adie, kaynine, mcp 18:56 < ecrist> I just answered you. 18:56 -!- Netsplit over, joins: pa, adie, plaerzen, krzy, mcp, kaynine 18:59 < ecrist> undertakingyou: you'll notice that the message you're referring to is from October, 2004. I'm sure this isn't an *issue* and more likely a PEBKAC error. 19:31 -!- masquerade [n=robert@c-71-200-21-140.hsd1.de.comcast.net] has joined ##openvpn 19:31 < krzee> also, are you allowing openvpn to hand out whatever ips it chooses? 19:31 < krzee> !sample 19:31 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:32 < krzee> like 19:32 < krzee> server 10.8.1.0 255.255.255.0 19:33 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:41 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has joined ##openvpn 19:42 < Mattz0r> hey there, im trying to do "./build-dh" on my freebsd host box, but.. it doesnt seem to be doing anything :/ - any advice? 19:51 -!- masquerade [n=robert@c-71-200-21-140.hsd1.de.comcast.net] has quit [] 19:59 < ecrist> Mattz0r: ick 19:59 < Mattz0r> ? 20:00 < ecrist> you got a recent version of ports tree? 20:00 < Mattz0r> yep 20:00 < ecrist> cd /usr/ports/security/ssl-admin && make all install clean && party 20:00 < ecrist> the last command is optional, but it *is* friday 20:00 < Mattz0r> ok 20:00 < Mattz0r> lol 20:00 < ecrist> rehash and run ssl-admin 20:01 < ecrist> oh, you have to edit the config, first. 20:01 < ecrist> if you have problems, let me know. I wrote it. 20:01 < Mattz0r> hmmm 20:01 < Mattz0r> ssl-admin doesnt seem to exist :| 20:01 < Mattz0r> let me do a fetch and extract real quick 20:01 < ecrist> recent copy of ports tree? 20:02 < ecrist> I committed it about 3 weeks ago. 20:02 < Mattz0r> i use portsnap fetch, portsnap extract, portupgrade -au 20:02 < ecrist> rather, asked to have it committed. 20:02 < Mattz0r> ? 20:02 < ecrist> ah, not a user of those tools, myself. 20:02 < ecrist> good ol' csup for me. 20:03 < Mattz0r> its just the way i learnt 20:08 < ecrist> hrm, looks like I've bugs in the ports version of the script. 20:09 < Mattz0r> ah 20:10 < ecrist> and, to my embarrassment, it doesn't, yet, create a dh key. 20:10 < Mattz0r> lolz 20:11 * ecrist adds it to his to-do list. 20:11 < Mattz0r> so this wont help me? lol 20:11 < ecrist> well, it will, managing certificates. 20:11 < ecrist> easy-rsa sucks balls 20:12 < Mattz0r> hehe 20:12 < Mattz0r> i've had no probs 20:12 < Mattz0r> upto "build-dh" 20:12 < ecrist> it's ticket #3 in my trac. 20:12 < ecrist> congrats. 20:13 < Mattz0r> lol 20:13 < ecrist> ok, lemme lookup the code to do it. 20:13 < ecrist> well, see, i've had the perl script for a couple years in various forms I've handed out to folks. Finally, enough people have convinced me to port it to the FreeBSD tree and actually make a project out of it. 20:14 < ecrist> it's still in it's infancy, but relatively full-featured. 20:14 < ecrist> minus this caveat 20:14 < Mattz0r> ah 20:16 < ecrist> openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} 20:16 < Mattz0r> oki doki 20:16 < ecrist> so, I think, "openssl dhparam -out ./dh1024.pem 1024 would work. 20:16 < Mattz0r> ok 20:17 < Mattz0r> that works 20:17 < Mattz0r> just have to wait for it to create now =] 20:18 < Mattz0r> Oh yea... while im here, and someone with more than half a brain cell is about - If my host has a block of 64 ip addresses - can i push the external IP's out to clients, or at least, hide clients behind different IP addresses? 20:18 < ecrist> not sure I completely follow. 20:18 < Mattz0r> ok 20:18 < ecrist> the answer is going to be yes, but I need a bit more info. 20:18 < Mattz0r> ok 20:19 < Mattz0r> ill try :) 20:19 < Mattz0r> vpn host (64 IP block) 20:19 < Mattz0r> client one - behind ip1, client 2 behind ip2, etc etc 20:19 < Mattz0r> rather than all the clients being behind the same ip addess 20:19 < Mattz0r> address* 20:21 < ecrist> sure. 20:21 < Mattz0r> i've just never figured out how lol 20:21 < ecrist> you're going to be best off doing a bridged VPN in your case. 20:21 < Mattz0r> ok.. 20:21 < Mattz0r> lol 20:22 < ecrist> OpenVPN, the way it doles out static IPs chunks them in /30 subnets, so you essentially lose 3/4 of your IP space. Ick. 20:22 < ecrist> 2.1 is going to do away with that, but it's still in beta. 20:22 < Mattz0r> i see 20:23 < Mattz0r> but wouldnt it be like a hide nat? 20:23 < Mattz0r> rather than assigning the ip's to the clients 20:25 < ecrist> hrm, not really, depending on your network structure. 20:25 < Mattz0r> well, its just a rented dedicated box, 20:25 < Mattz0r> in the USA 20:26 < Mattz0r> and im based in the UK 20:26 < ecrist> so, you want to be able to VPN in and have a US IP address? 20:26 < ecrist> essentially. 20:26 < Mattz0r> well, i mean i got a bunch of people that i need to have access, but i went each person, to be behind a different IP 20:27 < Mattz0r> want* 20:27 < Mattz0r> not sure how effective that is though, 20:29 < ecrist> do you need them to have static IPs or can they be dynamic? 20:29 < Mattz0r> they can be dynamic, but static would help. 20:29 < Mattz0r> as each ip would have a diff reverse address 20:29 < ecrist> how many clients? 20:29 < ecrist> ok, static it is. 20:30 < ecrist> you *may* want to consider running 2.1 for it's better IP assignement features. 20:30 < Mattz0r> ahh 20:31 < ecrist> how many clients? 20:31 < Mattz0r> 5 atm 20:32 < ecrist> you'll need a client config for each client you add, to assign them the static IP. 20:32 < Mattz0r> ok 20:32 < Mattz0r> dont they have that anyway? 20:32 < ecrist> I'm guessing one of the /26 you've got is the VPN server address? 20:32 < krzee> its just natting each ip with diff ip 20:32 < krzee> each vpn ip with diff external ip 20:33 < Mattz0r> yea... 20:33 < ecrist> krzee: you could do that, or assign the public IP to the client. 20:33 < krzee> oh whoa 20:33 < Mattz0r> either way works for me. 20:33 < krzee> never knew you could do that 20:33 < krzee> thats coolness 20:33 < Mattz0r> neither did i lol 20:33 < ecrist> krzee: why not? 20:33 < ecrist> an IP is an IP. 20:33 < Mattz0r> yea.. 20:33 < Mattz0r> the connectino still goes via the host 20:33 < krzee> umm, i guess it never occurred to me 20:34 < Mattz0r> makes sence. 20:34 < ecrist> is one of the /26 ips your server IP? 20:34 < Mattz0r> well, not atm, but it can be :p 20:34 < ecrist> no, if it's not, that better. 20:34 < krzee> oh right with routing that will be IP wasteful 20:34 < Mattz0r> oh 20:34 < Mattz0r> then no its not :P 20:35 < krzee> sorry, i will scroll up before any more comments 20:35 < krzee> lol 20:35 < Mattz0r> lol 20:35 < Mattz0r> XD 20:35 < ecrist> so, just setup your server config so that you're giving the entire /26 to your VPN daemon. 20:35 < ecrist> then, for each client you have, in ./ccd/ create a file with the same name as the CN for each client 20:35 < Mattz0r> oh wait 20:35 < Mattz0r> no 20:36 < Mattz0r> /26 = 64 block? 20:36 < Mattz0r> then yes.. my host is one of them ips 20:36 < ecrist> yes 20:36 < ecrist> ah 20:36 < ecrist> ok, we'll do this a different way. 20:36 < Mattz0r> ok 20:36 < ecrist> you know how to use pf? 20:37 < Mattz0r> no ¬_¬ 20:37 < krzee> just make a smaller block 20:37 < Mattz0r> but the guide im going through, includes that 20:37 < krzee> a /27 will be more than enough 20:37 < Mattz0r> could i not assign a /28? 20:37 < ecrist> to not be so wasteful, setup pf to nat each IP individually. 20:37 < ecrist> you could, but that limits you to 3 clients. 20:38 < krzee> a /28 is only 14 ips 20:38 < krzee> not enough for 5 20:38 < ecrist> OpenVPN's static IP setup is very wasteful 20:38 < krzee> but /27 is 20:38 < Mattz0r> ah 20:38 < Mattz0r> well either way works for me lol 20:38 < krzee> sorry 16 ips in this case 20:38 < krzee> 14 in normal subnetting cases 20:38 < Mattz0r> yea 20:38 < ecrist> do this, for your VPN subnet, assign 172.30.0.0 255.255.255.0 20:39 < ecrist> then, setup pf to do 1-1 nat, for each IP you want to make public. 20:39 < Mattz0r> ok, 20:39 < ecrist> it's a bit of work, but you'll be happy, I think, with the end result, and you're not wasting nearly as many public IPs 20:39 < Mattz0r> ironically, i work with firewalls for a living, just not freebsd based ¬_¬ 20:40 < krzee> Mattz0r, any of those windows? 20:40 < Mattz0r> all the clients are windows. 20:40 < krzee> oh ok 20:40 < ecrist> Mattz0r: pf should make a lot of sense to you, then. 20:40 < krzee> otherwise you coulda gotten rid of the waste 20:40 < Mattz0r> ok 20:40 < Mattz0r> push "route 172.30.0.0 255.255.255.0" 20:40 < Mattz0r> ? 20:40 < ecrist> no 20:40 < Mattz0r> oh 20:40 < Mattz0r> ¬_¬ 20:40 < krzee> the wasteful method is a way to make windows work 20:40 < ecrist> you don't have to push, since it's 'local' to the vppn. 20:40 < ecrist> vpn* 20:41 < Mattz0r> ahhhh 20:41 * Mattz0r removes that part 20:41 < krzee> !push 20:41 < vpnHelper> krzee: Error: "push" is not a valid command. 20:41 < Mattz0r> !pull 20:41 < vpnHelper> Mattz0r: Error: "pull" is not a valid command. 20:41 < Mattz0r> xD 20:41 < krzee> !learn push as goes in the server config and makes the commands act as if they were in the client config, can be used in ccd entries 20:41 < vpnHelper> krzee: The operation succeeded. 20:42 < krzee> !forget push 20:42 < vpnHelper> krzee: The operation succeeded. 20:42 < Mattz0r> ¬_¬ 20:42 < ecrist> Mattz0r: start with getting OpenVPN running and assigning your addresses. 20:43 < krzee> !learn push as usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 20:43 < vpnHelper> krzee: The operation succeeded. 20:43 < Mattz0r> so the server will assign a dynamic local ip? 20:43 < ecrist> for now, yes 20:43 < Mattz0r> ok 20:43 < krzee> you will set the ip in a ccd entry when ecrist gets you there 20:43 < krzee> !ccd 20:43 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 20:43 < ecrist> just make sure you can connect and get an IP. 20:44 < Mattz0r> ok 20:44 < ecrist> !freebsd 20:44 < vpnHelper> ecrist: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 20:44 < Mattz0r> sec 20:44 < ecrist> Mattz0r: ^^^ check that out. 20:44 < krzee> ecrist, i think the bot and wiki were cool ideas =] 20:44 < ecrist> ditto 20:44 < Mattz0r> connection failed 20:45 < Mattz0r> page load error 20:45 < krzee> accept the cert 20:45 < ecrist> Mattz0r: accept my self-signed certificate. 20:45 < krzee> jinx 20:45 < Mattz0r> nothing came up 20:45 < Mattz0r> ok 20:45 < Mattz0r> nvm i got it 20:45 -!- ChanServ changed the topic of ##openvpn to: Donate $$ to ecrist for a *real* ssl cert! | | Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release: 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copies over 5 lines. | Don't feed the trolls. 20:46 < ecrist> $69 to go! 20:46 < Mattz0r> cool :) 20:47 < Mattz0r> well for all your help your giving, ill donate some $$ when i get paid ;) 20:48 < ecrist> I gotta go play Halo with the kid. Read up on that, get your VPN configured and handing out static IPs. 20:49 * krzee brings ecrist a briefcase of small unmarked bills 20:49 < Mattz0r> ok 20:49 < Mattz0r> halo 3? 20:49 < ecrist> I may be around early tomorrow morning, if not, I'm here M-F 7am-3pm Central, in and outish, depending on my work day. 20:49 < ecrist> yeah 20:49 < Mattz0r> :D 20:49 < Mattz0r> sweet 20:49 < Mattz0r> xbox live? :D 20:49 < ecrist> eyp 20:49 < Mattz0r> Mattz0rPwnz0r <-- 20:49 < krzee> heh 20:50 < Mattz0r> =P 20:50 < ecrist> I'll look you up. MnSlinky for me. kinda gay 20:50 < Mattz0r> lol 20:50 < Mattz0r> vanquish# /usr/local/etc/rc.d/openvpn start 20:50 < Mattz0r> Starting openvpn. 20:50 < Mattz0r> vanquish# 20:50 < Mattz0r> woot 20:50 < ecrist> been my moniker for ~20 years now, though, so I'm stuck with it 20:50 < Mattz0r> :p 20:50 < ecrist> bbl 20:50 < Mattz0r> tun0: flags=8010 mtu 1500 20:50 < Mattz0r> vanquish# 20:50 < Mattz0r> :| 20:50 < Mattz0r> lol 20:51 < ecrist> beer + halo 3 + kid = good family fun. 20:51 < Mattz0r> lol 20:51 < ecrist> =d 20:51 < Mattz0r> i wouldnt know about that ;) 20:51 < Mattz0r> i'm prolly a "kid" in your eyes lol 20:51 < krzee> k now im curious 20:51 < krzee> age? 20:52 < Mattz0r> 20 20:52 < krzee> nah not kid to me 20:52 < Mattz0r> lol ok :P 20:52 < krzee> dunno bout ecrist tho ;] 20:52 < Mattz0r> ;] 20:53 < Mattz0r> yeah.. been doing firewalling for a year now :| 20:53 < Mattz0r> working with an in-house firewall system 20:53 < krzee> im bout to go work with an in-belly burger system 20:54 < krzee> ill bbl =] 20:54 < Mattz0r> lol 20:54 < Mattz0r> later 21:05 < Mattz0r> hmmm 21:16 < Mattz0r> bleh 21:17 < Mattz0r> its not assigning an ip :( 21:36 -!- near [n=near@88-122-16-182.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has joined ##openvpn 21:44 < ecrist> ecrist: 3, ecrist_mini: 0 21:44 < ecrist> muahahaha! 21:44 < ecrist> Mattz0r: did you set it up as I listed in the wiki? 21:45 < Mattz0r> yea 21:45 < Mattz0r> i did 21:45 < ecrist> and the vpn clients aren't getting IPs? 21:45 < ecrist> you using tun or tap? 21:46 < Mattz0r> err 21:46 < Mattz0r> tap? 21:46 < Mattz0r> the server is tun0 21:46 < ecrist> and the client? 21:46 < Mattz0r> but my client is using tap? 21:46 < Mattz0r> i dont know :S 21:46 < ecrist> no, wrong 21:46 < ecrist> client and server need to match. 21:47 < Mattz0r> ok 21:48 < Mattz0r> well when i use tap... on the server 21:48 < Mattz0r> it doesnt show in ifconfig 21:48 < Mattz0r> =/ 21:50 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 21:51 < ecrist> Mattz0r: my wiki example uses tun. 21:52 < ecrist> tap is a bridging mode driver, you need to actually build a bridge. i.e. no IPs are assigned. 21:52 < ecrist> follow the wiki, verbatim 21:52 < Mattz0r> oh 21:52 < Mattz0r> screw that then lol 21:52 < Mattz0r> but if my client's device is tap 21:52 < Mattz0r> how can it use tun? 21:54 < Mattz0r> im maybe doing something wrong with the client.conf 21:54 < Mattz0r> :/ 21:56 < Mattz0r> tun0: flags=8051 mtu 1500 21:56 < Mattz0r> inet 172.30.0.1 --> 172.30.0.2 netmask 0xffffffff 21:56 < Mattz0r> Opened by PID 57616 21:56 < Mattz0r> but my client fails to connect ¬_¬ 21:56 < Mattz0r> it just sits there 21:58 < ecrist> where is that from, server I'm guessing? 21:58 < Mattz0r> yea 21:59 < Mattz0r> last line of the client connecting is.. 21:59 < Mattz0r> Sat Aug 23 03:59:00 2008 UDPv4 link remote: 64.18.129.130:1194 21:59 < Mattz0r> then thers nothing else 21:59 < Mattz0r> ¬_¬ 22:00 < ecrist> ifconfig shows? 22:00 < Mattz0r> ahhh 22:00 < Mattz0r> pm one sec? saves spamming ¬_¬ 22:00 < SilenceGold> Mattz0r did you really read the openvpn docs? 22:00 < Mattz0r> ive had it working before quite some time ago ¬_¬ 22:01 < Mattz0r> but it was under a debian host... and it worked first time :| 22:02 < Mattz0r> its telling me the TLS handshake failed, even tho i didnt set the tunnel to even have TLS 22:02 < SilenceGold> you didn't follow the documentations properly this time. 22:03 < Mattz0r> -.- 22:03 < ecrist> Mattz0r: OpenVPN is an SSL vpn suite. 22:05 * ecrist goes away for the night. 22:07 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has quit [Read error: 110 (Connection timed out)] 23:02 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has quit [] 23:16 < undertakingyou> ecrist: I am using different certificates. It is not a PEBKAC error, I am watching it hand out the same address to two different clients using two different certificates. 23:16 < undertakingyou> krzee: I am allowing OpenVPN to hand whatever address it wants to out of the range I have given it. 23:26 < ecrist> undertakingyou: what range did you give it? 23:34 < undertakingyou> 10.0.4.0/24. I gave the vpn its own subnet. --- Day changed Sat Aug 23 2008 01:13 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 01:48 < krzee> werent you supposed to give it the ips you wanted to dish out? 01:48 < krzee> ... 01:49 < krzee> oh sorry that was someone else 01:53 < krzee> !configs 01:53 < vpnHelper> krzee: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 01:54 < krzee> @ undertakingyou 02:54 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 03:35 < Bheam> oi 03:37 < Bheam> if 2 people have conflicting ip's between their local lan, is it still possible to setup openvpn bridge somehow? but with a different ip? 04:11 < Bheam> scratch that :p 04:21 -!- Whoopie_ is now known as Whoopie 04:32 < Bheam> right so bridges are to allow windows networks name resolution etc, and it says bridges are required for this 04:32 < Bheam> wouldn't a virtual network adapter alone allow this? 04:32 < kala> bridges is for L2 broadcasts to work 04:33 < kala> windows name resolution can work over broadcasts and WINS and DNS 04:33 < Bheam> L2 broadcasts? is that a particular kind of broadcast ? :p 04:34 < kala> ethernet broadcasts vs IP broadcasts 04:34 < kala> umm ... I think 04:34 < kala> now I'm not so sure anymore :) 04:35 < Bheam> well anyway 05:12 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has joined ##openvpn 05:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:42 -!- gallatin [n=gallatin@dslb-092-073-112-213.pools.arcor-ip.net] has joined ##OpenVPN 07:27 -!- gallatin [n=gallatin@dslb-092-073-112-213.pools.arcor-ip.net] has quit ["Client exiting"] 07:32 -!- hkais [n=dpalic@p4FEBEE0D.dip.t-dialin.net] has joined ##openvpn 07:34 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 07:38 -!- hkais [n=dpalic@p4FEBEE0D.dip.t-dialin.net] has left ##openvpn [] 07:39 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 08:13 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa, krzy, adie, plaerzen 08:14 -!- Netsplit over, joins: pa, adie, plaerzen, krzy 08:16 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit [Read error: 104 (Connection reset by peer)] 09:08 < ecrist> Bheam: no, you cannot. 09:09 < Mattz0r> hey ecrist 09:10 < Mattz0r> i think my issue is something to do with my host machine. lol 09:10 < Mattz0r> cause i tested a vpn between both PCs on my LAN, and it worked first time. 09:11 < ecrist> ok 09:11 < Mattz0r> so i might just give it up as a bad job :p 09:36 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has quit [] 09:40 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has joined ##openvpn 09:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:48 < ecrist> have a good day, kids. I'm of to 'The Great Minnesota Get-Together' 09:48 < ecrist> mauaahahahahahah! 10:42 -!- pred2k5 [n=Torsten@dslb-088-069-222-177.pools.arcor-ip.net] has joined ##openvpn 10:43 < pred2k5> hi, I have the following net configuration in my server config: "server 10.8.0.0 255.255.255.0", but a client with "ifconfig 10.8.0.24 10.8.0.23" (pushed) is not allowed? 10:43 < pred2k5> should be from 10.8.0.1 to 10.8.0.254 10:44 < pred2k5> "ifconfig endpoints [local=10.8.0.24, remote=10.8.0.23]. The local and remote VPN endpoints must exist within the same 255.255.255.25" 10:44 < pred2k5> 252 10:47 < pred2k5> 26/25 works again 10:48 < pred2k5> ah ok wrong subnet 10:48 < pred2k5> but why doest 20/19 work? 10:48 < pred2k5> does 10:52 -!- Dougy [n=doug@64.18.159.247] has quit [Read error: 110 (Connection timed out)] 11:02 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 11:16 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 11:17 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 11:17 < Dougy> Hi there 11:18 < Dougy> If my server only has one public IP, and I set openvpn to route all traffic through it, when browsing the internet does my IP show as the server's IP? 11:23 < gongoputch> by 'route all traffic through' = set your default route as the tunnel? 11:24 < gongoputch> if yes, think about what the effect of that would be 11:24 < Dougy> gongoputch: what effect? 11:24 < Dougy> you're making it sound like its nightmarish 11:24 < Dougy> gongoputch: so if my server's ip is 4.2.2.2, then when you connect to the vpn and surf the net, your ip would show as 4.2.2.2 11:24 < Dougy> is that possible? 11:25 < gongoputch> routing must the unequivocal. 11:25 < gongoputch> s/the/be/ 11:25 < Dougy> that confused me 11:25 < Dougy> o.o 11:25 < gongoputch> ok ... 11:26 < gongoputch> ovpn will need to have tcp/udp connectivity to maintain the tunnel 11:26 < gongoputch> then you set routes thru it 11:26 < Dougy> its run as root on my linux laptop + it runs as root on my server obv 11:26 < gongoputch> if you set the default route AS the internal endpoint of the tunnel ...... 11:27 < Dougy> i'm new to this, so can you stupidify that for me 11:27 < gongoputch> You are wanting to have all internet traffic proxied through your remote VPN machine? 11:27 < Dougy> yes 11:28 < Dougy> so when they surf or IRC, it shows as corp.domain.com 11:28 < gongoputch> I am new to OVPN too but not new to tunnelling 11:28 < Dougy> i got it to designated 172.16.0.0/27 just fine 11:28 < Dougy> but i want to make it look like you're browsing from the server 11:29 < gongoputch> from a routing point of view, I guess you could add a route to your remote OVPN box as a single IP 11:29 < gongoputch> then make your default route the remote endpoint of the tunnel 11:29 < Dougy> push "redirect-gateway" 11:29 < Dougy> I uncommented that 11:29 < Dougy> now i gotta figure out the rest 11:29 < gongoputch> in theory that would maintain the link] 11:30 < gongoputch> of course, IP forwarding would have to be enabled on the remote 11:30 < Dougy> because on my laptop is executing "route add -net serverip netmask 255.255.255.255 gw gatewayip" 11:31 < gongoputch> it is an interesting 'problem' 11:35 < Dougy> ecrist show up 11:35 < Dougy> and i'll donate to your SSL cert 11:36 < gongoputch> do you have the tunnel up? 11:37 < gongoputch> just pick an IP somewhere on the net ... e.g. www.abc.com, set the route to it as the far side of the tunnel and ping it 11:38 < gongoputch> running tcpdump icmp on both your 'real' interface and the tunnel interafce 11:38 < Dougy> eh man i'm out of it today 11:38 < Dougy> i guess maybe i should save it for a rainy day 11:38 < Dougy> or when someone will really baby me through it 11:38 < gongoputch> why? 11:38 < gongoputch> this is a 'baby step' 11:38 < gongoputch> you now how to add a route? 11:39 < Dougy> not done it in a while 11:39 * Dougy man's route 11:39 < Dougy> or do you mean with openVPN 11:39 < gongoputch> on FBSD it si "route add whereto wherethru 11:39 < gongoputch> no, just with your OS 11:39 < Dougy> route add -net serverip netmask 255.255.255.255 gw gatewayip 11:39 < gongoputch> ok 11:39 < gongoputch> you are on Linux than 11:39 < Dougy> yes 11:39 < Dougy> laptop is debian 11:40 < gongoputch> by adding one IP like thatyou are telling the OS "if you want host A, set the packets thru gateway B" 11:40 < Dougy> i see 11:41 < Dougy> so in theory that sends the route to make it pass thru if openvpn sends that 11:41 < Dougy> right? 11:41 < gongoputch> the remote side must be told to forward packets, and probably to NAT them (you are likely using rfc 1918 addresses) 11:41 < Dougy> probably 11:41 < gongoputch> in theory this should work 11:42 < gongoputch> there are usually signifant details 11:42 < Dougy> so do i need to edit sysctl.conf 11:42 < Dougy> and enable fwding 11:42 < gongoputch> sysctl.conf .... the server is fbsd? 11:42 < Dougy> linux has it as well 11:42 < gongoputch> ah 11:43 < Dougy> server is cent 11:43 < Dougy> 5 11:43 < gongoputch> I tried Linux seriously back in 1993 11:43 < gongoputch> I didn't like it 11:43 < gongoputch> FBSD from about 94 11:43 < gongoputch> :) 11:44 * Dougy shrugs 11:44 < Dougy> I was still in diapers then 11:44 < gongoputch> I should really dick around with ovpn some more before I give advise 11:44 < Dougy> lol 11:45 < gongoputch> ecrist has some really good articles on it in his wiki 11:46 < Dougy> ecrist is awesome. 11:49 < gongoputch> I know him from ##freebsd 11:50 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has left ##openvpn ["bye"] 11:53 < Dougy> well 11:53 < Dougy> i enabled packet forwarding in sysctl.conf and rebooted 11:53 < Dougy> it added the route 11:53 < Dougy> still not workin 12:40 < gongoputch> do you have NAT on the oposite side? 12:40 < gongoputch> anf what route did you add? 13:06 < krzee> !wiki 13:06 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 13:06 < krzee> thats his wiki btw 13:07 < krzee> !route 13:07 < vpnHelper> krzee: Error: "route" is not a valid command. 13:07 < krzee> !routes 13:07 < vpnHelper> krzee: Error: "routes" is not a valid command. 13:07 < krzee> bleh 13:07 < krzee> !learn route as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:07 < vpnHelper> krzee: The operation succeeded. 13:07 < krzee> !learn routes as https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:07 < vpnHelper> krzee: The operation succeeded. 13:23 < krzee> !learn tls-cipher as http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 13:23 < vpnHelper> krzee: The operation succeeded. 13:23 < krzee> !tls-cipher 13:23 < vpnHelper> krzee: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 13:23 < krzee> heh 13:32 < krzee> !ubuntu 13:32 < vpnHelper> krzee: "ubuntu" is dont use network manager! 13:34 < krzee> !privledges 13:34 < vpnHelper> krzee: "privledges" is just choose a sandbox user/group that nothing else is using, then in config use: user vpnuser and group vpngroup , and if it is the server add: persist-key and persist-tun 13:34 < krzee> !freebsd 13:34 < vpnHelper> krzee: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:34 < krzee> !gentoo 13:34 < vpnHelper> krzee: "gentoo" is http://gentoo.linuxhowtos.org/openvpn/openvpn.htm 13:35 < krzee> !secure 13:35 < vpnHelper> krzee: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 13:36 < krzee> !ask 13:36 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/ 13:36 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 13:40 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask 13:40 < vpnHelper> krzee: The operation succeeded. 13:40 < krzee> !freebsd 13:40 < vpnHelper> krzee: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:41 < krzee> !winpass 13:41 < vpnHelper> krzee: "winpass" is openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 13:41 < krzee> !forget menu 13:41 < vpnHelper> krzee: The operation succeeded. 13:41 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass 13:41 < vpnHelper> krzee: The operation succeeded. 13:42 < gongoputch> ah, a bot! 13:42 < gongoputch> vpnHelper: help 13:42 < vpnHelper> gongoputch: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 13:42 < krzee> basically im trying to give you !menu 13:42 < krzee> !forget menu 13:42 < vpnHelper> krzee: The operation succeeded. 13:42 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev 13:42 < vpnHelper> krzee: The operation succeeded. 13:42 < krzee> !menu 13:42 < vpnHelper> krzee: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev 13:43 < krzee> with all the learned commands 13:43 < krzee> unfortunatly that gets upkeep by hand 13:43 < krzee> which is kinda lame 13:43 < gongoputch> what is vpnhelper? An eggdrop? 13:44 < krzee> no 13:44 < krzee> !/30 13:44 < vpnHelper> krzee: "/30" is http://openvpn.net/index.php/documentation/faq.html#slash30 13:44 < krzee> !forget menu 13:44 < vpnHelper> krzee: The operation succeeded. 13:45 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30 13:45 < vpnHelper> krzee: The operation succeeded. 13:45 < krzee> a supybot 13:45 < krzee> i think eggdrops are overkill for freenode 13:45 < krzee> they're more coded for efnet 13:46 < gongoputch> I like TCL better than python 13:46 < krzee> cool 13:46 < gongoputch> but I am a fogey 13:47 < krzee> supybot comes with everything we use for the channel anyways 13:47 < krzee> so the lang doesnt come into play 13:47 < gongoputch> it looks good 13:47 < gongoputch> I like bots 13:47 < gongoputch> some chans ban them 13:47 < krzee> ya its pretty handy for helpin people 13:48 < krzee> that and the wiki has made it easier to just point people to the answers for commonly asked stuff 13:48 < krzee> of course we still need to add more content to both (especially the wiki) 13:49 < krzee> but it'll get done as topics come up 13:50 < gongoputch> it is a different world today, the way info systems are more and more integrated 13:50 < krzee> !learn multi as please see !iroute 13:50 < vpnHelper> krzee: The operation succeeded. 13:50 < krzee> !forget menu 13:50 < vpnHelper> krzee: The operation succeeded. 13:50 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi 13:50 < vpnHelper> krzee: The operation succeeded. 13:50 < krzee> would be nice if Factoids updated !menu on its own 13:51 < krzee> and ya what you said is very true 13:51 < krzee> voip as a prime example 13:51 < krzee> we're moving closer and closer to unified messaging 13:51 < krzee> which is pretty cool 13:51 < gongoputch> yet corporate america fails to avail itself of it, by and large 13:52 < gongoputch> except in isolation, like using VOIP instead of PBXs 13:52 < gongoputch> but it uses VOIP LIKE IT WAS a PBX 13:52 < gongoputch> duh. 13:52 < krzee> hahah 13:52 < krzee> yup 13:53 < krzee> they still use PBX's for voip 13:53 < krzee> just not analog ones ;] 13:53 < gongoputch> sigh 13:54 < gongoputch> I think if management can't understand it, no one will use it 13:54 < krzee> just makes more room for the little guy 13:54 < gongoputch> yes 13:54 < gongoputch> it does 14:01 < krzee> !router 14:01 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 14:01 < krzee> !forget menu 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !notopenvpn 14:01 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 14:01 < krzee> !forget menu 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn 14:01 < vpnHelper> krzee: The operation succeeded. 14:01 < krzee> !path 14:01 < vpnHelper> krzee: "path" is always use full paths in your config file, it makes things easier 14:02 < krzee> !forget menu 14:02 < vpnHelper> krzee: The operation succeeded. 14:02 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path 14:02 < vpnHelper> krzee: The operation succeeded. 14:02 < krzee> !netman 14:02 < vpnHelper> krzee: "netman" is if you are using network manager for linux to configure your vpn, dont! http://openvpn.net/archive/openvpn-users/2008-01/msg00046.html to read the same thing from an openvpn expert on the mail list 14:02 < krzee> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman 14:02 < vpnHelper> krzee: The operation succeeded. 14:02 < krzee> !forget menu 1 14:02 < vpnHelper> krzee: The operation succeeded. 15:11 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:13 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:14 -!- Concept-P [n=concept@twimp.se] has joined ##openvpn 15:17 < Concept-P> Hello all! I have a question that I cant seem to find an anwser to. Im trying to connect to my vpn server, but it fails with the tls auth. I have changed the ta.key on both the server and the client. But it still does not work. Does the ta.key need to be signed with the ca or something like that? 15:20 < Concept-P> tips or a url to a howto would be helpfull. =) the one on openvpn.net seems to be lacking some info. =P 15:22 < undertakingyou> krzee and ecrist: Thanks for your pointers, I figured out why everyone was getting the same IP and I now have it resolved. 15:27 < krzy> no problem, what was it? 15:28 < krzy> Concept-P: 15:28 < krzy> !logs 15:28 < vpnHelper> krzy: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:28 < krzy> !configs 15:28 < vpnHelper> krzy: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 15:28 < Concept-P> undertakingyou: did you make the cerficates with the same servername? I made that error yesterday =D 15:29 < krzy> Concept-P, they wouldnt be able to connect in that case without duplicate-cn 15:29 < undertakingyou> krzy, even though I had different cert/key pairs they were all built with the same common name. So, rebuild the crt's with different comon name and then away we go. 15:29 < krzy> (which should not be enabled) 15:29 < undertakingyou> yeah Concept-P, looks like I had the same thing going. 15:29 < krzy> hahah, concept-p was right 15:29 < krzy> werd 15:29 < Concept-P> heh. =D 15:29 < krzy> undertakingyou, i take it you were using duplicate-ncn? 15:29 < krzy> s/ncn/cn/ 15:30 < Concept-P> krzy: the error in the logs is a TLS error. I could paste the 3 lines, but I dont think its needed. 15:30 < undertakingyou> I don't want duplicate-cn so it is off. I want one connection per crt/key pair. I thought the common name would be what I started with, so ./build-key client1 would make client1 the common name. 15:30 < krzy> i would like to see the logs and configs 15:30 < krzy> if you want help from me, i need to see them 15:30 < Concept-P> krzy: oki. w8. 15:31 < krzy> undertakingyou, good... i was going to tell you to remove it 15:31 < Dougy> ecrist: when you're here, send me a PM' 15:31 < krzy> Dougy, hes most often here on weekdays 15:32 < krzy> depending on hos busy he is at work 15:32 < krzy> s/hos/how/ 15:32 < Dougy> he was ere yesterday night 15:32 < krzy> yup, he does stop through other times too, but if you dont hear from him before monday try him again 15:34 < Concept-P> krzy: http://plu.nu/~concept/temp/ server config, client config, and log from client. =) 15:34 < vpnHelper> Title: Index of /~concept/temp (at plu.nu) 15:35 < krzy> thx, reading 15:35 < Concept-P> krzy: thank you for the help =) 15:35 < krzy> np 15:35 < krzy> you have a reason for tcp? firewall allows 1195 tcp but not udp? 15:35 < krzy> !tcp 15:35 < vpnHelper> krzy: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:36 < Concept-P> krzy: no real reason actually. just started out that way.. 15:36 < krzy> k, make sure you switch back to udp 15:37 < Concept-P> krzy: oki. I never understood why udp would be better. =) 15:37 < krzy> werd, the link vpnHelper gave will explain why 15:37 < krzy> but while that COULD be your problem, odds are it isnt 15:37 < krzy> may as well test if it works with udp, but likely its the same 15:38 < krzy> !man 15:38 < vpnHelper> krzy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 15:38 < krzy> (thats for me) 15:38 < krzy> looking up what your mssfix 15:38 < krzy> does 15:39 < Concept-P> krzy: I dont think it is. Everything was working fine yesterday, untill I realised that I had put the same commonname on all certs (the commonname of the vpnserver, not the client) and then I used the easy-rsa clean-all script, and regenerated everything from scratch. replaced all the certs and key files, and then it didnt work anymore. 15:40 < krzy> ohh 15:40 < krzy> ok then you likely kept 1 file somewhere from the old setup 15:40 < krzy> remove everything related to certs and start over 15:40 < Concept-P> krzy: Ok, now I understand why tcp is not a good option. 15:41 < krzy> ya 15:41 < krzy> its good openvpn supports it cause sometimes its the only way 15:41 < krzy> but if you can avoid it, do 15:42 < krzy> also 15:42 < krzy> Sat Aug 23 21:29:41 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 15:42 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 15:42 < Concept-P> krzy: hmm, I did remove all the files. from the server with the clean-all script. then I copied all certs and stuff over a secure channel to an ironkey, then copied the files from the ironkey to the clients. 15:42 < krzy> see that link 15:43 < Concept-P> krzy: yeah, I noticed that too yesterday, I have another client config (on an another machine) where I fixed that issue. =) 15:43 < krzy> cool 15:43 < krzy> it looks like there was a problem when copying the files 15:44 < Concept-P> krzy: But atm, I thought it was more important to get the thing going than worring about mitm =D 15:44 < krzy> oh wait 15:44 < krzy> Sat Aug 23 21:29:46 2008 Authenticate/Decrypt packet error: packet HMAC authentication failed 15:44 < krzy> thats your tls.key 15:44 < krzy> yourstatic key 15:44 < krzy> for now you can comment out tls-auth and see if it works 15:44 < Concept-P> hmm. w8. 15:44 < krzy> (on client and server) 15:45 < krzy> !sample 15:45 < vpnHelper> krzy: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:45 < krzy> )thats for me too) 15:46 < Concept-P> krzy: Now I feel like a jackass. =D 15:46 < krzy> didnt copy over the new tls static key? 15:46 < Concept-P> krzy: when I recreated all the keys.. I didnt make a tls.key =D 15:46 < krzy> ya 15:46 < krzy> it happens ;] 15:46 < Concept-P> =D 15:47 < krzy> btw, good looking configs 15:47 < krzy> can tell you read the docs 15:47 < Concept-P> krzy: thats the openvpn --genkey --secret command right? 15:47 < krzy> if you have lans behind clients, see !iroute 15:48 < krzy> !secure 15:48 < vpnHelper> krzy: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 15:48 < krzy> 1sec 15:48 -!- hawk [n=hawk@pdpc/supporter/active/hawk] has quit [Read error: 104 (Connection reset by peer)] 15:48 < krzy> yup, that is it 15:48 < krzy> can see man page (!man) for making the key bigger than default 15:48 < krzy> personally i use 4096 for everything 15:49 < krzy> default is 1024 15:49 < Concept-P> krzy: then I did make it. I just named it ta.key instead. =/ 15:49 < krzy> well they arent identical on both sides 15:50 < Concept-P> krzy: Im using 2048 for everything.. but maybe I should change it to 4096 before starting everything. 15:50 < krzy> 2048 is good too, hat strength you use is up to you 15:50 < krzy> i just go overboard 15:50 < krzy> im krzy like that ;) 15:51 < Concept-P> krzy: well. it is a medical office. so it should be secure. =P 15:51 < krzy> ahh, yes it should be 15:51 < krzy> may as well pump it up to 4096 everywhere 15:51 < Concept-P> krzy: since I guess I missed a step somewhere, Ill remake all keys with 4096 =) 15:52 < krzy> i use 4096 in certs, TLS key, DH key 15:52 < krzy> you use fbsd? 15:53 < Concept-P> krzy: No, linux. 15:53 < Concept-P> krzy: krzy for the server anyway. all the clients are winxp 15:54 < krzy> werd 15:54 < krzy> ecrist made a perl script to manage keys and all that with 15:54 < krzy> you may find it helpful 15:55 < krzy> it is included in FBSD ports, but would work on linux too 15:55 < Concept-P> krzy: Im not used to fbsd, or any bsd. So I feel that its better to use something familiar (where I know where the potholes are) rather than use a system that might have one or too potwholes, but you dont know where they are. =D 15:55 < Concept-P> krzy: I can give it a try, where can I find it? 15:56 < krzy> i totally agree 15:56 < krzy> you the OS you know 15:56 < krzy> 1sec lemme find it 15:56 < krzy> !wiki 15:56 < vpnHelper> krzy: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 15:57 < krzy> i would recommend doing it by hand, but you have done that a couple times now and using a tool like this wont hurt you from learning (cause you already know how to by hand) 15:58 < krzy> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:58 < vpnHelper> Title: OpenVPN Server - Secure Computing Wiki (at www.secure-computing.net) 15:58 < krzy> skip to Setup SSL Certificates/Keys 15:58 < Concept-P> learn how to do something by hand first. then you can cheat =D 15:59 < krzy> yup =] 16:00 < krzy> https://www.secure-computing.net/wiki/images/c/c3/Ssl-admin.tar 16:01 < krzy> Extract the tgz in your home directory (for now). You should see two files, ssl-admin.pl, and openssl.cnf. 16:01 < krzy> [edit] Tuning ssl-admin.pl 16:01 < krzy> You must edit the perl script to work correctly on your network. When initially downloaded, the script with exit, reminding you to setup all the variables at the top of the file. By default, the top of the file looks like this: 16:01 < Concept-P> even this vpn is a bit overkill. Im using a vpn on a local network. but the servers cannot be accessed without being on the vpn =D 16:01 < krzy> etc etc 16:01 < krzy> local network... 16:01 < krzy> umm, its connecting and routing right? 16:02 < Concept-P> krzy: well, I dont run any scripts before I read them =D 16:02 < krzy> good 16:02 < krzy> if you have comments or suggestions on that script im sure ecrist is open to them 16:02 < Concept-P> krzy: it worked just fine yesterday (besides the fact that all the clients got the same ip) 16:03 < krzy> hrm very odd 16:03 < krzy> it shouldnt really work on the same lan 16:03 < krzy> routing should get confused 16:03 < Concept-P> krzy: the reason is because there are two remote laptops that will be connecting to the vpn as well. 16:04 < krzy> and thats a perfect reason to use openvpn ;] 16:04 < Concept-P> krzy: well, its only the local network that need access to the servers. the computers can access the internet without the vpn. 16:04 < Concept-P> krzy: I didnt have any problems with the routing anyway =) 16:04 < krzy> i think im just misunderstanding you 16:05 < krzy> and it dont sound broken, so we dont need to fix it ;] 16:05 < Concept-P> hehe right. =) 16:06 < Concept-P> krzy: let me put it this way, there is a samba server on the network that only listens to the vpn interface. so if you are not part of the vpn, you cant access the sambaserver =) 16:06 < krzy> oh ok cool 16:06 < krzy> thought you meant client and server were on same lan 16:06 < krzy> which should not work 16:07 < krzy> what you are saying is good 16:07 < krzy> i think im just misunderstanding you 16:07 < krzy> ^that was the case 16:08 < Concept-P> =) 16:08 < Concept-P> krzy: where are you from, I feel like I recognize your nick =) 16:08 < krzy> been krzee on efnet for many years 16:08 -!- Mattz0r [n=user@cpc1-linc5-0-0-cust861.nott.cable.ntl.com] has quit [] 16:08 < krzy> and was krzy for awhile too 16:09 < Concept-P> krzy: where you in channels on efnet that where with a key? 16:09 < krzy> been here on freenode for awhile too, but not nearly as long 16:09 < krzy> ive been in a shitton of channels with and withoiut keys 16:09 < krzy> i been on efnet since early - mid 90's 16:09 < krzy> like 93 or so i think 16:10 < Concept-P> oki =) 16:10 < krzy> ohhh 16:10 < krzy> i was RNS counsil for a couple yrs 16:10 < krzy> had 2 counsil spots 16:10 < Concept-P> oki. 16:10 < Concept-P> maybe thats it. =) 16:10 < krzy> and ran a few groups 16:11 < krzy> abuse ,CDA, sFx, NoD, then went to RNS til i quit all scenes 16:11 < Concept-P> krzy: what did RNS release? 16:11 < krzy> mp3 16:12 < krzy> was the #1 mp3 group 16:12 < Concept-P> electronic music? 16:12 < krzy> everything 16:12 < Dougy> I need someone to answer a question and then baby me through something 16:12 < krzy> Dougy, the question? 16:12 < Dougy> typing it 16:12 < Dougy> sec 16:12 < krzy> Dougy, my babying will be more of pointing you to the right docs 16:12 < Dougy> If I have a server with 1 ip, is it possible to route all traffic thru it? Like, when you VPN in (say 6 diff clients), when you brwose the web / IRC, it shows the server's IP 16:13 < Dougy> krzy: as long as I get it done, that's fine by me 16:13 < krzy> dougy, absolutely 16:13 < krzy> !nat 16:13 < vpnHelper> krzy: "nat" is http://openvpn.net/howto.html#redirect 16:13 < krzy> its not an openvpn thing, you want NAT 16:13 * Dougy reads 16:13 < krzy> dougy, server OS? 16:13 < Dougy> Cent5 16:13 < krzy> cool, that link gives example of how to NAT on linux 16:14 < Dougy> so just do what it says there? 16:14 < Dougy> what's "def1" 16:14 < Dougy> is that an interface? 16:14 < krzy> !man 16:14 < vpnHelper> krzy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 16:14 < Dougy> you could just have answered it too :p that doesnt take much 16:15 < krzy> i am 16:15 < krzy> had to goto man and CNTRL F 16:15 < krzy> well apple F, i use mac 16:15 < krzy> Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 16:15 < krzy> Using the def1 flag is highly recommended, and is currently planned to become the default by OpenVPN 2.1. 16:16 < krzy> i THINK ive heard of issues with def1 and windows, but you use linux so shouldnt have a problem 16:16 < Dougy> one more question krzy 16:16 < Dougy> push "dhcp-option DNS 10.8.0.1" <-- 16:16 < Dougy> can i put like 16:17 < Dougy> push "dhcp-option DNS 204.8.216.67 204.8.216.102" 16:17 < Dougy> ? 16:18 < krzy> changing them to another external IP only while on the VPN? 16:18 < Dougy> yeah 16:18 < Dougy> soon as they are off vpn, they resume using ISP's ip 16:18 < Dougy> unless im not understand 16:18 < Dougy> unless im not understanding* 16:19 < krzy> well ya but if its not going over the vpn why not always use that ip? 16:19 < Dougy> Im slow today 16:19 < Dougy> idk what you mean 16:22 < Concept-P> krzy: oh, right. While Im waiting for the cert generation (damn 4096 dh gen =D) Ive been trying to find out how to give the clients static ips, but cant seem to find any info about that. openvpn stores ip mapping in the ippool.txt file. can I manually edit that for static ips? 16:23 < Dougy> krzy: :( 16:23 < krzy> dougy, i will check, dfunno if you can supply 2 NS or not 16:24 < krzy> but for windows what you said will def work for 1 NS 16:24 < krzy> Concept-P, kinda 16:24 < krzy> that *would* work, but doesnt garuntee they stay the same 16:24 < Concept-P> krzy: is there a better way? 16:24 < krzy> you give it an ifconfig in a ccd entry 16:24 < krzy> !ccd 16:24 < vpnHelper> krzy: "ccd" is entries that are basically included into server.conf, but only for the specified client 16:24 < Concept-P> ahh 16:25 < Concept-P> ok, Ill look into that. 16:25 < Dougy> well krzy 16:25 < Dougy> i can just use my priv one then 16:25 < Dougy> heh 16:25 -!- mucimon [n=mucimon@lugbari/people/mucimon] has joined ##openvpn 16:27 < Dougy> krzy: i did the thing (masquerade) etc, and enabled packet fwding in sysctl.conf on my linux laptop 16:27 < Dougy> its not routing traffic thru it :( 16:28 < krzy> Dougy, can the client still access the inet at all? 16:33 < Dougy> negative 16:33 < Dougy> i cant nslookup anything etc 16:33 < Dougy> i can ping other clients on he vpn 16:33 < Dougy> the* 16:33 < Dougy> that's it 16:34 < Dougy> eg 172.16.0.4 16:34 < krzy> dougy, to push 2 DNS servers to win client try using push "dhcp-option DNS 204.8.216.67" and push "dhcp-option DNS 204.8.216.102" 16:34 < krzy> ok cool, then your openvpn stuff is working right 16:34 < krzy> its your iptables NAT that is not 16:34 < Dougy> that wasn't it krzee 16:34 < Dougy> er krzy 16:34 < krzy> im krzee too 16:34 < Dougy> i jsut changed it to my private ns (its only 1 ip, and neither of those) 16:35 < krzy> werd 16:35 < Dougy> should that modify the resolv.conf locally? 16:35 < Dougy> like on the client 16:35 < Dougy> because they're not hte one in my server.conf 16:36 < krzy> echo 1 > /proc/sys/net/ipv4/ip_forward 16:36 < krzy> sudo iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE 16:36 < krzy> You can verify the rule was written correctly with: 16:36 < krzy> sudo iptables -L -t nat 16:36 < Dougy> that file is already set to 1 16:36 < krzy> (i dont really use linux, going from a google search) 16:37 < Dougy> I have it as /26 not /24, and i ran that 16:37 < Dougy> but the iptables thing i didnt do (last thing) 16:37 < Dougy> er its returning nothing 16:37 < krzy> that just lists the table 16:37 < Dougy> yeah 16:37 < Dougy> which is empty 16:37 < krzy> hrmz 16:37 < krzy> you have iptables loaded? 16:37 < Dougy> yes 16:38 < Dougy> er oops 16:38 < Dougy> hmm 16:38 < Dougy> Chain POSTROUTING (policy ACCEPT) 16:38 < Dougy> target prot opt source destination 16:38 < Dougy> MASQUERADE all -- 172.16.0.0/26 anywhere 16:38 < Dougy> MASQUERADE all -- 172.16.0.0/26 anywhere 16:38 < Dougy> double :S 16:38 < Dougy> now its only htere once 16:38 < Dougy> do i need to enable forwarding on the server as well, krzy? 16:39 < krzy> you mean you only set that file to 1 on the client? 16:39 < Dougy> :< 16:40 < krzy> yes, you want it on the server and prolly not on the client 16:40 < krzy> note, setting that file to 1 does not go across reboots 16:40 < krzy> its just for turning on forwarding without a reboot 16:40 < Dougy> lets try that 16:40 < Dougy> yup 16:40 < Dougy> i know 16:40 < Dougy> okay 16:40 < Dougy> i added fwding on the server 16:41 < Dougy> hmm 16:41 < krzy> now it works? 16:41 < Dougy> testing 16:41 < Dougy> YES! 16:41 < Dougy> :D:D:D 16:41 < Dougy> Thank youuuuu 16:41 < krzy> yw =] 16:41 < Dougy> haha :D 16:42 < krzy> see i didnt hafta baby you, you read the docs that you were pointed to =] 16:42 < krzy> and got it workin 16:42 < Concept-P> =D 16:43 < krzy> and because you did that, you learned a lil more bout networking ;] 16:43 < Concept-P> that damn learning part. =D 16:44 < Dougy> you babied me some krzy 16:44 < Dougy> one more question krzy though 16:44 < Dougy> is it possible to log everything done on the vpn 16:44 < Dougy> like all sites browsed, etc 16:44 < Concept-P> sniff allt the traffic that goes over the tap? 16:44 < krzy> should be able to monitor traffic on the VPN interface 16:45 < krzy> or by logging through iptables 16:45 < Dougy> I want it to log if client 3 goes to google.com 16:45 < Dougy> for eg 16:45 < krzy> but thats definatly not openvpn related 16:45 < krzy> !notopenvpn 16:45 < vpnHelper> krzy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:45 < Dougy> well, where would i need to ask 16:45 < krzy> you are really asking how to monitor traffic of clients on a NAT 16:46 < Dougy> and krzy i have a openvpn question :p 16:46 < krzy> a linux channel 16:46 < Dougy> using the default howto 16:46 < Dougy> to generate the certs 16:46 < Dougy> is there any encryption on that 16:46 < Dougy> o.O 16:46 < krzy> absolutely! 16:46 < Dougy> what level is it o.O 16:46 < Dougy> Probably carappy 16:46 < krzy> post your configs please 16:46 < Dougy> er 16:46 < Dougy> what one o.O 16:46 < krzy> server and 1 client 16:47 < krzy> ill toss you any tips i see on how to make it better 16:47 < krzy> as far as that goes 16:48 < Dougy> can i pm you 16:48 < krzy> pm me the pastebin to the configs? 16:48 < Dougy> yesh 16:48 < Dougy> yeah* 16:48 < krzy> sure, but that will stop anyone else from giving input 16:49 < krzy> ouch 16:49 < krzy> please remove the comments 16:49 < krzy> like this: 16:49 < krzy> !sample 16:49 < vpnHelper> krzy: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:49 < krzy> (thats my configs) 16:49 < Dougy> oh 16:49 < Dougy> lol 16:49 < Dougy> comments take forever to remove 16:50 < krzy> with a few things removed which would require explanation, my setup is very diff than most 16:50 < krzy> its a serious PITA to dig through a huge config which is 80% comments 16:50 < krzy> !configs 16:50 < vpnHelper> krzy: "configs" is please pastebin your client and server configs, also include which OS and version of openvpn. 16:50 < krzy> !forget configs 16:50 < vpnHelper> krzy: The operation succeeded. 16:51 < Dougy> no prob 16:51 < Dougy> ill work on it 16:51 < krzy> !learn configs as please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:51 < vpnHelper> krzy: The operation succeeded. 16:52 < krzy> whoa! 16:52 < krzy> ovpn.pastebin.com 16:52 < krzy> thats awesome 16:52 < krzy> didnt know that existed 16:53 < krzy> ok you want HMAC verification using tls-auth 16:53 < krzy> !tls-auth 16:53 < vpnHelper> krzy: Error: "tls-auth" is not a valid command. 16:53 < krzy> !secure 16:53 < vpnHelper> krzy: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 16:53 < krzy> see http://openvpn.net/howto.html#security 16:53 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:54 < Dougy> krzy: anything exists 16:54 < Dougy> http://rooi5j28ow890t098t90898s.pastebin.com exists 16:54 < krzy> !learn tls-auth as The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 16:54 < vpnHelper> krzy: The operation succeeded. 16:55 < krzy> !menu 16:55 < vpnHelper> krzy: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman 16:55 < krzy> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, 16:55 < vpnHelper> krzy: The operation succeeded. 16:55 < krzy> !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, 16:55 < krzy> grr 16:55 < krzy> !forget menu 16:55 < vpnHelper> krzy: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 16:55 < krzy> !forget menu * 16:55 < vpnHelper> krzy: The operation succeeded. 16:56 < Concept-P> heh. !insanity =D 16:56 < krzy> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth 16:56 < vpnHelper> krzy: The operation succeeded. 16:56 < krzy> !insanity 16:56 < vpnHelper> krzy: "insanity" is doing the same thing over and over expecting different results 16:56 < krzy> ;] 16:56 < Dougy> Well krzy what d'ya say 16:57 < Concept-P> haha =) 16:57 < Concept-P> so true =) 16:57 < krzy> Dougy, you also want ns-cert-type server in client config 16:58 < krzy> you can change tls-cipher to use whatever encryption both sides support (each sides openssl needs to support it) 16:58 < krzy> !tls-cipher 16:58 < vpnHelper> krzy: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 16:59 < Dougy> erk krzy 17:00 < Dougy> It says i need to rebuild server key 17:00 < Dougy> thats just the one server key line rihgt 17:00 < Dougy> right 17:00 < Dougy> not the whole redo clients and then redo the dh 17:01 < krzy> well 17:01 < krzy> i guess so as long as you're using the same CA and all 17:01 < krzy> just make sure its signed as a server 17:01 < Dougy> i assume for the sake of security i should redo them all? 17:01 < Concept-P> krzy: vad use is the password challenge line in openvpn? 17:03 < krzy> 1sec 17:03 < krzy> !man 17:03 < vpnHelper> krzy: "man" is http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html the man pages are your friend! 17:04 < krzy> err wait 17:04 < krzy> Concept-P, you said all yourclients are on win right? 17:04 < krzy> if so, see !winpass 17:04 < Concept-P> krzy: almost. there are two that are not 17:04 < Concept-P> !winpass 17:05 < vpnHelper> Concept-P: "winpass" is openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 17:05 < krzy> otherwise, you can change that manually at commandline 17:05 < Concept-P> krzy: but what is the use for them? I dont need to use them when connecting to the openvpn server? 17:05 < Dougy> krzy: im confused with this ns-cert thing 17:06 < Dougy> any good docs on how to do it 17:06 < krzy> http://openvpn.net/index.php/documentation/howto.html#mitm 17:06 < vpnHelper> Title: HOWTO (at openvpn.net) 17:06 < Dougy> wait 17:06 < Dougy> so all i have to do is ./build-key-server server 17:06 < Dougy> ? 17:07 < krzy> aye 17:07 < Dougy> god damn it 17:07 < krzy> then the client wont connect to anything with a cert signed by your CN unless it was built as a server cert 17:07 < Dougy> i did that before 17:07 < Dougy> :( 17:08 < Concept-P> Dougy: remember to set the commonname to the computer that will be using the cert =P (I made that error yesterday) =D 17:08 < krzy> hrm that seems to be more of a problem for people than i thought 17:08 < Dougy> Concept-P: what do you mean 17:08 < Dougy> when i do common names 17:08 < krzy> Concept-P maybe you could make a lil writeup about it on the wiki? 17:08 < Dougy> i do the name of the people going to be using the crt 17:08 < Dougy> cert 17:08 < Dougy> eg in my case "Douglas Haber" 17:08 < Dougy> o.O 17:09 < krzy> about cert generating for new people 17:09 < krzy> can common name be multiple words? never tried that 17:09 < Dougy> btw is ecrist one of the major openvpn coders or something 17:09 < Dougy> or expert w/e 17:09 < krzy> would make ccd/ weird 17:09 < Concept-P> krzy: well with the build-key scripts it asks for "Common Name (eg, your name or your server's hostname) []:" Its easy to think that it means the vpn servername 17:10 < krzy> i dont think hes a coder, but he helps a ton in this channel, knows what hes doing, and made a perl script (which is in fbsd ports) for admin'ing certs 17:10 < krzy> Concept-P, adding to the wiki is open to the pubkic 17:10 < krzy> !wiki 17:10 < vpnHelper> krzy: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 17:11 < krzy> you dont have to, but are welcome to add a writeup if you think it will help people 17:11 < krzy> i made the one shown in !route 17:11 < krzy> !route 17:11 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:11 < Concept-P> krzy: Ill do that. when I got mine going. =P 17:11 < krzy> Concept-P, still having problems?? 17:11 < krzy> your setup looks good to me 17:12 < krzy> the writeup i made helps people understand route, push route, iroute, and ccd 17:12 < Concept-P> krzy: not really, Im regenerating all the certs with 4096 encryption. =P 17:12 < Dougy> er 17:12 < krzy> which is an extremely often asked ? 17:13 < Concept-P> krzy: so I havnt tried yet =) 17:13 < krzy> ohh right =] 17:13 < Dougy> how do you do it with 256 bit 17:13 < Dougy> i'm sure 256 is more than I have now 17:13 < krzy> dougy, by using tls-cipher 17:13 < Dougy> !tls-cipher 17:13 < vpnHelper> Dougy: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 17:13 < krzy> yay someone else using the bot! 17:13 < Dougy> that doesnt help 17:13 < Dougy> I need step by step 17:13 < Dougy> like something to baby me 17:17 < krzy> openvpn --show-ciphers 17:17 < krzy> on both sides 17:18 < krzy> see what both sides support 17:18 < krzy> choose one thats in both sides and is what you want 17:19 < krzy> The --show-ciphers option (see below) shows all available OpenSSL ciphers, their default key sizes, and whether the key size can be changed. Use care in changing a cipher's default key size. Many ciphers have not been extensively cryptanalyzed with non-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security. 17:20 < krzy> --tls-cipher l 17:20 < krzy> A list l of allowable TLS ciphers delimited by a colon (":"). If you require a high level of security, you may want to set this parameter manually, to prevent a version rollback attack where a man-in-the-middle attacker tries to force two peers to negotiate to the lowest level of security they both support. Use --show-tls to see a list of supported TLS ciphers. 17:22 < krzy> dougy, so like Concept-P used: cipher AES-256-CBC 17:23 < krzy> in both client and server configs 17:23 < krzy> so hes using 256 bit AES 17:23 < krzy> by default openvpn uses blowfish 17:24 < krzy> which is pretty damn good 17:25 < krzy> http://openmaniak.com/openvpn_tutorial.php seems to expand on this a little 17:25 < krzy> rumor has it that AES is crackable by some governments, but that cannot be confirmed or denied 17:26 < krzy> i stick to blowfish personally, but see nothing wrong with going to 256 AES 17:26 < Dougy> ah 17:26 < Dougy> AES-256-CBC 256 bit default key (fixed) 17:26 < Dougy> that means its supported? 17:26 < krzy> sure does 17:27 < Dougy> cool 17:27 < Dougy> now i need to figure out how to use it 17:27 < Dougy> ;p 17:27 < krzy> so you would add cipher AES-256-CBC to both configs 17:28 < Dougy> that's it? 17:28 < Dougy> there's no ssl cert signing or anything o.O 17:28 < Dougy> ? 17:28 < krzy> that was done when you made your certs 17:28 < Dougy> it supports all those types? 17:28 < krzy> cipher just changes the communication channel's encryption 17:28 < krzy> theres a few levels of encryption in openvpn 17:29 < krzy> both me and Concept-P choose to build our certs, tls static keys, and dh keys with 4096 keysizes 17:29 < krzy> and that doesnt effect what the communication channel uses 17:29 < krzy> certs are for auth 17:30 < krzy> dh key goes into that too 17:30 < Dougy> im not looking for extreme security 17:30 < Dougy> just something more than basic for now 17:30 < krzy> tls static key adds a signature to every packet 17:30 < krzy> cipher is for the stream of data 17:30 < krzy> well basic on openvpn is good 17:30 < krzy> openvpn is made with security in mind 17:31 < krzy> i use the default cipher personally, cause i trust blowfish encryption 17:31 < Dougy> k 17:31 < Dougy> I heard the windows client(s) are exploitable for windows 17:31 < Dougy> o.O 17:32 < krzy> i know nothing about that, got any links for evidence? 17:32 < Dougy> negative 17:32 < Dougy> my boss just told me it 17:32 < krzy> (i also dont use windows) 17:32 < Dougy> he made me uninstall the client from openvpn.se because there are exploits 17:32 < Dougy> o.O 17:32 < krzy> can you ask your boss for evidence? 17:32 < Dougy> i don't want to piss him off 17:32 < Dougy> :< 17:33 < Dougy> I value my job as being 15 it's the only change I have to work at a DC 17:33 < krzy> did he find the exploits or make them? 17:33 < Dougy> chance^ 17:33 * Dougy has no idea 17:33 < krzy> well, i cant comment on it then 17:34 < krzy> but with HMAC verification, no packets will be processed unless signed with yout TLS static key 17:35 < Dougy> heh 17:35 < Dougy> honestly 17:35 < krzy> so unless the assumed exploit takes advantage of the HMAC verification process, or passes the HMAC verification process, it wont run 17:35 < Dougy> I will pay you $35 to write up a nice doc/wiki page/something about security 17:35 < Dougy> on openvpn 17:35 < Dougy> er i meant 25 but 35 will work o.O 17:35 < Dougy> so I can revisit in future 17:36 < krzy> ok, it'll take me a lil time tho, security in openvpn is not a small thing to write up 17:36 < krzy> they take it very serious 17:36 < Dougy> Well 17:36 < krzy> and much of it will be copy and pasting parts from howto and manpage 17:36 < Dougy> well 17:36 < Dougy> I mean like 17:36 < Dougy> Compile all teh diff types into a big doc 17:37 < Dougy> and throw links to more info on it 17:37 * Dougy thinks that could acutally be sold as an eBook if detailed enough 17:38 < krzy> i wouldnt sell it, i would put it on our wiki for the world to see / freely use 17:38 < Dougy> I guess 17:38 < Dougy> I could do that too 17:38 < krzy> tis the nature of the community =] 17:39 < Dougy> http://www.amazon.com/s/ref=nb_ss_gw?url=search-alias%3Daps&field-keywords=openvpn&x=0&y=0 17:39 < vpnHelper> Title: Amazon.com: openvpn (at www.amazon.com) 17:39 < Dougy> lots of openvpn books 17:39 < krzy> werd 17:40 < Dougy> but yeah 17:41 < Dougy> I really dont wanna pay for it, but it is time you'd have to spend doing it 17:42 < krzy> well, we'll see if ecrist wants to help me 17:42 < krzy> if i dont hafta spend a lot of effort on it i wont accept any $ 17:42 < krzy> it just doesnt sound like a fun doc to write, so im not closing the possibility of accepting a couple $ 17:43 < krzy> ie: i wouldnt be thinking bout writing it if you didnt bring that up 17:43 < krzy> lol 17:43 < Dougy> well 17:43 < krzy> but you're right that it would be a good doc for the wiki 17:43 < Dougy> I think that's a big thing that needs a lot of documentation 17:43 < krzy> theres a few levels of encryption that can each be configured differently 17:44 < Dougy> I personally would definitely bookmark + read it 17:44 < krzy> so first would come an overview, than a brief explanation of each, then how to conigure each 17:45 < Dougy> yes 17:45 < Dougy> that's a great wiki page 17:45 < Dougy> heh 17:48 < krzy> lemme see somethin 17:49 < krzy> !secure 17:49 < vpnHelper> krzy: "secure" is (#1) http://openvpn.net/howto.html#security, or (#2) http://openvpn.net/index.php/documentation/security-overview.html 17:49 < krzy> http://openvpn.net/index.php/documentation/security-overview.html 17:49 < vpnHelper> Title: Security Overview (at openvpn.net) 17:49 < krzy> is that enough right there? 17:50 < krzy> thats the official ovpn security overview 17:50 < Dougy> reading 17:50 < Dougy> It kinda explains parts of it 17:50 < Dougy> I guess 17:50 < Dougy> I was referring to more of an explanation of each, and a step by setp on how to do it 17:50 < Dougy> ste 17:50 < krzy> right, you're looking for that as the overview 17:50 < Dougy> p 17:50 < Dougy> Kind of like 17:50 < krzy> then more in depth on each part 17:51 < Dougy> "security for complete idiots" 17:51 < Dougy> like me 17:51 < krzy> right, like my routing writeup as compared to the howto's 17:51 < krzy> read my routing write \up and tell me if you understand it? 17:51 < krzy> !route 17:51 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:52 < Dougy> yep 17:52 < Dougy> like that but for security 17:52 < krzy> cool, so that was fully understandable? 17:53 < Dougy> i think so 17:53 < Dougy> let me skim more 17:53 < krzy> if you would as a favor, please fully read instead of skim 17:53 < Dougy> sure 17:53 < krzy> i know you dont need it for your setup, but would help me 17:53 < Dougy> give me five minutes and i'm on it 17:53 < Dougy> actually 17:53 < krzy> sure, whenever you can 17:53 < Dougy> on it right now 17:55 < Dougy> looks good 17:55 < krzy> cool 17:56 < krzy> tried to break it down as well as possible for the uninitiated cause it can be a source of confusion 17:56 < Concept-P> krzy: does the tls.key need to be signed by the ca? 17:56 < krzy> it took a bit of reading to get the understanding to write that up 17:56 < krzy> no tls.key is just a standalone static key 17:56 < krzy> has nothing to do with certs 17:57 < krzy> it adds HMAC verification to ALL packets 17:57 < krzy> so if packet going to vpn doesnt pass the HMAC verification, it doesnt get processed 17:58 < krzy> after the first packets pass hmac verificatin, the certs can be compared 17:58 < krzy> if the packets to compare certs dont pass hmac verification, no access 17:58 < Concept-P> krzy: right.. I remade all the certs and the tls.key. but its still bit*hing about tls error. so I was going to try to remove the tls part and se if it works then. fine. but then I get an error saying I cant use the ca option if Im not using the tls mode. 17:58 < krzy> (which was one of your problems, forget whose) 17:59 < krzy> umm 17:59 < krzy> show me the logs 18:00 < krzy> this wasnt the important part of the error before: 18:00 < krzy> Sat Aug 23 21:29:36 2008 TLS Error: incoming packet authentication failed from 192.168.134.32:1194 18:00 < krzy> this was: 18:00 < krzy> Sat Aug 23 21:29:36 2008 Authenticate/Decrypt packet error: packet HMAC authentication failed 18:01 < Concept-P> same error. 18:01 < krzy> the second one i pasted? 18:01 < Concept-P> And if I remove the tls auth section it all stops working and does not even get to loggin. 18:01 < Concept-P> http://plu.nu/~concept/temp/ 18:02 < vpnHelper> Title: Index of /~concept/temp (at plu.nu) 18:02 < krzy> did you remove it from both server and client? 18:02 < krzy> looks like at least 1 side still has tls-aututh 18:03 < Concept-P> that was before I removed the tls auth 18:03 < krzy> tls-auth 18:03 < Concept-P> after I removed it, the client will not even start. 18:04 < Concept-P> oh no. 18:04 < Concept-P> DOH! 18:04 < Concept-P> doh! and double doh! 18:06 < Concept-P> I might have figured it out. 18:07 < Concept-P> sitt back and relax and I might get it to work in about tre mins. =D 18:07 < krzy> coo 18:11 < krzy> lemm know WHATS IT WAS IF IT WORKS 18:11 < krzy> oops C/L 18:12 < Concept-P> krzy: if it is what I think it is.. the error was about 40 cm in front of the monitor =D 18:12 -!- pred2k5 [n=Torsten@dslb-088-069-222-177.pools.arcor-ip.net] has quit [] 18:13 < krzy> lol 18:14 < krzy> i almost wanna make the bot learn that quote as !humanerror 18:14 < krzy> how you put it was funny =] 18:16 < Concept-P> krzy: I had set up the server to be able (in the future) to run multiple servers. so the configuration files where in /etc/openvpn/conf/[server] and the key files where in /etc/openvpn/conf/[server]/keys but the dir in the vars file was /etc/openvpn/keys. I had made a symbolic link to the right key dir.. but.. the link had dissapeared and was replaced with a new directory.. hence.. the server was using all the old key files. =P 18:18 < krzy> ahh 18:18 < krzy> gotchya 18:18 < krzy> i just make a whole new dir for each vpn 18:18 < krzy> to keep it simple 18:19 < krzy> but whatever works for you =] 18:19 < Dougy> i only host 1 vpn per server 18:19 < Dougy> o.O 18:19 < krzy> dougy, thats much more normal 18:19 < Dougy> i only have 1 vpn 18:19 < Dougy> lol 18:20 < krzy> i chain a few together 18:20 < krzy> so i can route with the craziness 18:21 < krzy> each client machine connects to 2 servers and routes between them 18:21 < Dougy> im just doing it so my support desk's st aff area can onyl be seen via vpn 18:21 < krzy> its an in-depth routing setup, but very much helped me to understand iroute, lol 18:21 < Dougy> and staff can still browse web while onvpn 18:21 < krzy> ya yours is a more normal usage 18:22 < krzy> to my knowledge im the only one who has bothered with my type of setup 18:23 < krzy> and what Concept-P may be doing with multiple servers on 1 server is one running tcp in the case where he ends up behind a nazi firewall and udp doesnt work 18:24 < krzy> which is less for business and more for personal 18:28 < Concept-P> yeay! new error! =P 18:29 < Concept-P> Sat Aug 23 23:28:26 2008 192.168.134.101:1711 CRL: cannot read: conf/drmrp/keys/server.pem: Permission denied (errno=13) 18:29 < Concept-P> -rw-r--r-- 1 root root 1028 Aug 23 23:08 conf/drmrp/keys/server.pem 18:29 < krzy> check your permissions 18:29 < krzy> to the dir too 18:29 < Concept-P> AH! 18:30 < krzy> also, dont keep it world readable 18:30 < krzy> i make it readable by user the vpn drops to 18:30 < krzy> and owned by root 18:30 < krzy> world gets nothing 18:30 < krzy> err not by user vpn drops to, by group i mean 18:30 < krzy> although with persist-key and persist-tun you may not need group readable either 18:31 < krzy> in fact the point of them is so you dont 18:31 < krzy> so, ie: conf/drmrp/keys/server.pem make it 400 18:32 < krzy> and the dir, 500 18:32 -!- ompaul_ [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 18:33 < Concept-P> yeah baby yeah! =D 18:33 < krzy> all is well? =] 18:34 < Concept-P> so far so good! =) 18:34 < Concept-P> I get an ip address on the client =D 18:34 < krzy> werd 18:34 < krzy> i take it you're still generating 4096 stuff too 18:34 < krzy> that takes FOREVER 18:34 < krzy> haha 18:34 < Concept-P> krzy: no, thats all done =) 18:34 < krzy> whoa 18:34 < krzy> certs, tls, dh? 18:34 < Concept-P> that was done an hour or so ago =) 18:35 < Concept-P> everything generated =) 18:35 < krzy> damn, you must have badass HW 18:35 < Concept-P> Xeon 2.13 Ghz Quad Core with 3gb ram =P 18:35 < krzy> yup thats pretty badass 18:35 < krzy> hehe 18:35 < Concept-P> well. the other server I have is nicer I think =P 18:35 < krzy> 2.6amd took me like 1/2 a day to gen 1 18:36 < Concept-P> Dual Xeon 2.0 ghx Quad core, 9gb ram and 2tb disk =) 18:36 < krzy> my macbook pro did them fast, but so fast i didnt trust the certs 18:36 < krzy> lol 18:36 < Concept-P> ghz even =) 18:36 < krzy> damn man, nice stuffs 18:36 * krzy borrows Concept-P's serversa 18:37 < krzy> haha 18:37 < Concept-P> heh, well thats what they get when they say.. upgrade all the computers. you have a budget of 10,000 euro =D 18:38 < krzy> omg 18:38 < krzy> badass 18:38 < Concept-P> It was fun buying everything =P 18:38 < krzy> you're lucky to work where ever you work 18:39 < krzy> often people underfund IT 18:39 < Concept-P> krzy: I only work extra here =) 18:39 < Concept-P> krzy: well, the overkill is that the two servers are for 1. VPN server 2. Samba server 18:39 < Concept-P> =D 18:40 < Concept-P> but it was 4 new computers and three laptops aswell =P 18:41 < Concept-P> But they are now supposed to last the next ? 10 years or so (yikes) =P 18:41 < Concept-P> we'll se about that part though =) 18:41 < krzy> they will last til HW dies 18:41 < krzy> hehe 18:42 < krzy> i mean hell you could still use a 300mhz box for that 18:42 < krzy> a pentium 1 would do the job 18:42 < krzy> hehe 18:42 < Concept-P> last time things where upgraded was about 8 years ago and the old samba server is from 95 18:43 < Concept-P> krzy: yeah, true, but then I cant use the servers for vps:es either. =D 18:44 < Concept-P> ok. now to get working on the ccd =D 18:46 < krzy> good, you're doing it right 18:46 < krzy> best to get it working, then add complexity 18:46 < Concept-P> =) 18:47 < Concept-P> krzy: in the manual the only example in the ccd part was to add subnet routing. Im guessing it works the same way but with a ifconfig push? 18:47 < krzy> sure does 18:47 < krzy> !push 18:47 < vpnHelper> krzy: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:47 < Concept-P> sweet =) 18:47 < krzy> !ccd 18:47 < vpnHelper> krzy: "ccd" is entries that are basically included into server.conf, but only for the specified client 18:48 < krzy> !menu 18:48 < vpnHelper> krzy: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth 18:48 < Concept-P> krzy: do I then remove the ifconfig push from the main server conf? 18:48 < krzy> !learn menu as !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push 18:48 < vpnHelper> krzy: The operation succeeded. 18:48 < krzy> !forget menu 1 18:48 < vpnHelper> krzy: The operation succeeded. 18:48 < krzy> yes 18:48 < Concept-P> ait 18:49 < krzy> that would result in the ifconfig being pushed to every client 18:49 < Concept-P> thats what I thought =) 18:56 < Concept-P> Sat Aug 23 23:56:21 2008 drreception/192.168.134.101:1812 Options error: option 'ifconfig' cannot be used in this context 18:58 < Concept-P> in the ccd/drreception file its just ifconfig 192.168.5.1 192.168.5.101 18:58 < krzy> umm 18:58 < krzy> 192.168.5.0/24 is for vpn? 18:58 < Concept-P> yes =) 18:59 < krzy> for 1, server will be 5.1 18:59 < Concept-P> and 192.168.5.1 is the vpnserver 19:00 < Concept-P> should it just be ifconfig 192.168.5.101 ? 19:00 < Concept-P> I copy-pasted the line from the server conf =P 19:01 < krzy> so you want something like this:ifconfig 192.168.5.5 ifconfig 192.168.5.6 19:02 < krzy> err no 19:03 < krzy> push "ifconfig 192.168.5.5 192.168.5.6" 19:03 < krzy> for the first 19:03 < krzy> second should be .9 .10 19:03 < Concept-P> why 5.5 and 5.6? 19:03 < krzy> !/30 19:03 < vpnHelper> krzy: "/30" is http://openvpn.net/index.php/documentation/faq.html#slash30 19:04 < krzy> that will elab 19:04 < Concept-P> ahh. oki. 19:05 < Concept-P> so it doesnt have to be 5.5 and 5.6 .. could be 5.5 and 5.101 ? 19:05 < krzy> no 19:05 < Concept-P> damn there goes my network plan. =P 19:05 < Concept-P> oki =D 19:06 < krzy> do you get why? 19:06 < krzy> .5 is Virtual IP address in the OpenVPN Server 19:06 < krzy> .6 is the ip for the client 19:06 < Concept-P> yeah. but tcp/ip isnt my strong side. 19:06 < Concept-P> it has to do with broadcasts and stuff =) 19:06 < krzy> well, it has to do with an ugly hack to make routing in windows work 19:07 * Dougy pokes kraut 19:07 < Dougy> er krzy 19:07 < Dougy> krzy: question 19:07 < Dougy> :p 19:07 < krzy> Then OpenVPN assigns a /30 subnet for each client that connets. The first available /30 subnet (after the one the server is using) is: 19:07 < krzy> * 192.168.1.4/30 19:07 < krzy> * 192.168.1.4 -- Network address 19:07 < krzy> * 192.168.1.5 -- Virtual IP address in the OpenVPN Server 19:07 < krzy> * 192.168.1.6 -- Assigned to the client 19:07 < krzy> * 192.168.1.7 -- Broadcast address. 19:07 < krzy> Then to reach the rest of the network on behind the OpenVPN server, you push a route to the client, so traffic is routed through 192.168.1.5. 19:07 < krzy> As 192.168.1.5 is only a virtual IP address inside the OpenVPN server, used as an endpoint for routes, OpenVPN doesn't bother to answer pings on this address, while the 192.168.1.1 is a real IP address in the servers O/S, so it will reply to pings. 19:07 < Concept-P> but 5.5 / 5.6 for client1 and 5.7 and 5.8 for client2 would work? 19:07 < krzy> It does cause a little waste of IP addresses, but it's the best way to allow a consistent configuration that works on all O/S supported by OpenVPN. 19:07 < krzy> The TAP-Win32 driver includes a DHCP server which assigns the 192.168.1.6 address to you, that's why you see 192.168.1.5 as DHCP server address. 19:07 < Concept-P> krzy: Yeah, I read it =) 19:07 < krzy> no 19:07 < Dougy> If I use tap unstead of tun, does it work the same? 19:07 < krzy> 5.6 / 9.10 19:07 < Dougy> similar w/e 19:07 < krzy> err 19:07 < krzy> 5/6 9/10 19:07 < krzy> and so on 19:08 < Concept-P> krzy: so client tre would have 13/14 and client4 17/18 ? 19:08 < krzy> each client uses 4 ips for its own 19:08 < Concept-P> oki four 19:08 < Concept-P> right. I tought right. 19:08 < krzy> so yes 19:08 < Dougy> eh, i have a /8 i cann use so tun will work oO 19:08 < krzy> krzy: so client tre would have 13/14 and client4 17/18 ? 19:08 < Dougy> holy shit its DARK out 19:08 < krzy> yes 19:09 < Dougy> :S 19:09 < krzy> dougy, please explain 19:09 < krzy> (not the dark part) 19:09 < krzy> lol 19:09 < Dougy> haha 19:09 < Concept-P> the dark part is probably because its night (CEST) =) 19:09 < Dougy> I was just wondering if tap has any benefits over tun for my purpose 19:10 < Dougy> Using a /30 per client is fine for my intents and purposes, but, was wondering if tap had any benefits 19:10 < krzy> !bridge 19:10 < vpnHelper> krzy: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the (1 more message) 19:10 < krzy> !morte 19:10 < vpnHelper> krzy: Error: "morte" is not a valid command. 19:10 < krzy> !more 19:10 < vpnHelper> krzy: protocol uses MAC addresses instead of IP addresses. 19:11 * Dougy shrugs 19:11 < Dougy> i dont have time to read it 19:11 < Dougy> tomorrow 19:11 < Dougy> i wil 19:12 < krzy> just see #4 19:12 < krzy> !bridge 4 19:12 < vpnHelper> krzy: Error: "bridge" is not a valid command. 19:12 < krzy> hrmz 19:12 < krzy> useful for windows sharing (without 19:12 < krzy> wins server) and LAN gaming, anything where the protocol uses MAC addresses instead of IP addresses. 19:12 < krzy> if thats not your case, you want routed 19:14 < krzy> for Concept-P it would let his samba clients browse by NETBIOS name, but i THINK he can still go by ip and be fine, or he could definatly use a wins server 19:14 < Concept-P> the samba server acts as a wins server aswell =) 19:15 < Concept-P> and yes it can be accessed by ip only 19:16 < Concept-P> through windows Start->run->\\192.168.0.4 where 192.168.0.4 is the samba servers ip 19:19 < Concept-P> krzy: it still pushes the .2 ip to the client even though the push is removed from the server conf.. 19:19 < Concept-P> Sun Aug 24 00:13:27 2008 drreception/192.168.134.101:1845 SENT CONTROL [drreception]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0 192.168.5.1,route-gateway 192.168.5.1,ping 10,ping-restart 30,ifconfig 192.168.5.50 192.168.5.51,ifconfig 192.168.5.2 255.255.255.0' (status=1) 19:19 < Concept-P> it now pushes both. =P 19:20 < Concept-P> but the client accepts only the .2 19:20 < Concept-P> and the ippool file is flushed manually =) 19:20 < Concept-P> krzy: any suggestions? 19:20 < Dougy> krzy: yeah, you know what my use(s) are 19:21 < Dougy> krzy 19:21 < Dougy> If I have.. 19:21 < Dougy> If I ahve a /27 and I want 25 clients to all get their own IP so its like a mini isp 19:21 < Dougy> I would need to use tap for that 19:21 < Dougy> right? 19:21 < Dougy> like it'll dhcp them one 19:30 < krzy> nah 19:30 < krzy> you can use tun 19:30 < krzy> and sorry i had forgotten what you wanted 19:30 < krzy> heheh 19:30 < krzy> now i remember, ecrist was helpin ya last night 19:31 < krzy> your setup will be a ton like Concept-P's 19:31 < krzy> only you wont be using internal ips, you will use external ones 19:32 < krzy> while bridge would work too and allow less IP wasting, it would also allow clients to change their IPs 19:32 < krzy> with routed, you will lose some ips to the internal routing stuff, but will lock each in to their ip 19:33 < SilenceGold> lose? 19:33 < krzy> !learn cidr as http://www.oav.net/mirrors/cidr.html 19:33 < vpnHelper> krzy: The operation succeeded. 19:33 < SilenceGold> how do you lose ips to the internal routing stuff except for like gateway ip, broadcast ip? 19:33 < krzy> exactly 19:33 < krzy> 4 ips per client 19:34 < SilenceGold> lol 19:34 < krzy> he wants to hand out external IPs as opposed to an internal vpn block 19:34 < krzy> cause he has a /24 or /26 of ips 19:34 < SilenceGold> external IPs? you mean like Public IPs? 19:34 < krzy> yes 19:34 < SilenceGold> nah 19:34 < SilenceGold> you can use topology subnet as part of the beta versions 19:34 < Concept-P> wouldnt that be better to solve with some kind of NAT? 19:34 < SilenceGold> that will give one ip per client 19:34 < SilenceGold> I already got it working 19:35 < krzy> please explain more! 19:35 < krzy> sounds awesome 19:35 < SilenceGold> there's one of my answers on the FAQ 19:35 < SilenceGold> hrm..I can't remember the url to that unofficial FAQ 19:35 < Concept-P> doh =D 19:35 < krzy> our faq or another? 19:35 < SilenceGold> let me look at your faq 19:35 < SilenceGold> url? 19:35 < krzy> !wiki 19:35 < vpnHelper> krzy: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 19:36 < SilenceGold> no that's ecrist's 19:36 < krzy> actually, rmulls 19:36 < krzy> but ya 19:36 < SilenceGold> that's ecrist's domain 19:36 < krzy> right, ecrist runs the wiki, rmull wrote that up 19:36 < SilenceGold> "How do I route public IPs to my VPN clients without using NATD? " 19:37 < SilenceGold> that's my answer there 19:37 < SilenceGold> http://info.deafhogs.org/index.php/VPN_Access 19:37 < vpnHelper> Title: VPN Access - HaulmarkWiki (at info.deafhogs.org) 19:37 < SilenceGold> I set that up 19:38 < krzy> nice! 19:38 < SilenceGold> haven't even gotten to the point of finishing it yet 19:38 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 19:38 < SilenceGold> it's mostly the students..and few journalists who went to china that are using it 19:38 < Dougy> my ride is here, im outtie 19:38 < krzy> adios Dougy 19:38 < SilenceGold> later 19:38 < Concept-P> bye =) 19:39 < krzy> SilenceGold, wheres the answer to his problem? 19:39 < SilenceGold> i was pointing out that you can assign one ip per client 19:39 < Concept-P> krzy: did you have any suggestions on the push? 19:39 < SilenceGold> not 4 19:39 < krzy> right, if no windows clients 19:39 < krzy> with ip-config-pool linear 19:39 < krzy> but his is for windows 19:40 < SilenceGold> you can do one ip per client for windows too 19:40 < SilenceGold> just have to use the beta version with "topology subnet" 19:41 < SilenceGold> [19:21:05] If I ahve a /27 and I want 25 clients to all get their own IP so its like a mini isp... 19:41 < krzy> looks like i got some reading to do 19:41 < SilenceGold> it is possible if you use the beta version with the "topology subnet" 19:53 < krzy> very cool SilenceGold, thank you 19:54 < krzy> !learn /30 as it is possible to avoid this behavior if you use the beta version with the "topology subnet" option 19:54 < vpnHelper> krzy: The operation succeeded. 19:54 < krzy> !/30 19:54 < vpnHelper> krzy: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30, or (#2) it is possible to avoid this behavior if you use the beta version with the topology subnet option 19:55 < krzy> !forget /30 19:55 < vpnHelper> krzy: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 19:55 < krzy> !forget /30 * 19:55 < vpnHelper> krzy: The operation succeeded. 19:56 < krzy> !learn /30 as http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips 19:56 < vpnHelper> krzy: The operation succeeded. 19:57 < krzy> !learn /30 as it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 19:57 < vpnHelper> krzy: The operation succeeded. 19:57 < krzy> !/30 19:57 < vpnHelper> krzy: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 19:57 < krzy> i had no idea, that is definatly the solution for him 19:59 < Concept-P> damn. not even on another computer does the client get the ip given in the ccd conf 20:00 < krzy> what does it get? 20:00 < Concept-P> .3 20:00 < krzy> .3!? 20:00 < krzy> umm, ya sure? 20:01 < Concept-P> yes. but I will check again. 20:01 < krzy> ifconfig in client 20:01 < Concept-P> ipconfig in client. windows special =D 20:01 < Concept-P> .3 20:02 < Concept-P> but it cant ping .2 only .1 20:02 < krzy> shouldnt be able to ping .2 20:02 < Concept-P> ok 20:03 < Concept-P> from the serverlog: 20:03 < Concept-P> Sun Aug 24 00:56:23 2008 drkontor/192.168.134.102:1194 SENT CONTROL [drkontor]: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0 192.168.5.1,route-gateway 192.168.5.1,ping 10,ping-restart 30,ifconfig 192.168.5.80 192.168.5.81,ifconfig 192.168.5.3 255.255.255.0' (status=1) 20:04 < Concept-P> and I have commented out the push "ifconfig ..." line from the server conf. 20:07 < krzy> start at a low number 20:07 < krzy> im not sure if .80 and .81 are the right numbers to pick 20:07 < krzy> maybe yes, maybe no 20:07 < krzy> depends where they fall into the /30 20:08 < krzy> im thinking no tho, since it would be .9 and .10, adding 4 to each side would lead to .89 and .90 when up that high 20:09 < Concept-P> oh they have to be in order.. I took 50/51 on the first client 60/61 on the second and so on. I didnt want to do math this late. ;) 20:12 < Concept-P> but its still strange that client2 got .3 then. 20:13 < krzy> to me, very 20:14 < krzy> try starting at 49/50 20:14 < krzy> since its 9/10 and you always add 4 to find next, taking 9/10 and adding 40 yields 49/50 20:14 < krzy> just do 1 while testing 20:15 < krzy> and yes, since it is using /30 it will need to be the right #'s accordingly 20:16 < krzy> the .3 being given out is new to me 20:18 < krzy> Then OpenVPN assigns a /30 subnet for each client that connets. The first available /30 subnet (after the one the server is using) is: 20:18 < krzy> * 192.168.1.4/30 20:18 < krzy> * 192.168.1.4 -- Network address 20:18 < krzy> * 192.168.1.5 -- Virtual IP address in the OpenVPN Server 20:18 < krzy> * 192.168.1.6 -- Assigned to the client 20:18 < krzy> * 192.168.1.7 -- Broadcast address. 20:18 < Concept-P> krzy: it seems to be handing out ips trough the ip pool even though the ccd conf says different 20:21 < krzy> eventually you will want to see this part of the openvpn FAQ: 20:21 < krzy> How can I connect Windows XP to a Linux-based Samba server using routing rather than bridging? 20:21 < krzy> !faq 20:21 < vpnHelper> krzy: "faq" is http://openvpn.net/index.php/documentation/faq.html 20:21 < krzy> but first we need to get you using static 20:21 < krzy> theres a reason you need static right? 20:23 < Concept-P> hmm. I cant find the paragraf where it brings up static ips, only static keys. 20:23 < krzy> try commenting out the pool 20:23 < krzy> and add ifconfig 192.168.5.1 255.255.255.0 20:23 < krzy> to main server config 20:24 < Concept-P> well first the samba server needs to be on a static ip. the rest is for me to be able to connect via vnc over the vpn so I can help the users that cant get things to work. =D 20:24 < krzy> and mode server 20:24 < krzy> oh samba server is connected to vpn and not just on same LAN as the openvpn server? 20:25 < Concept-P> the samba server listens only to the tap interface. 20:25 < krzy> additional harm by having it only listen on LAN ip? 20:25 < krzy> ie: people on the lan that should NOT have access? 20:26 < Concept-P> well not really. but the remote users that connect with the vpn need to be able to connect to the samba server as well. 20:26 < krzy> ya that can be done easy enough either way 20:26 < krzy> i mean if you really want static we should be able to make that work 20:27 < krzy> although getting samba server connected to vpn on same lan should not work 20:27 < krzy> for that heres what ya do... 20:27 < krzy> whats samba server's lan ip? 20:28 < Concept-P> I have allready gotten it to work with dynamic ips =) 20:28 < krzy> !route 20:28 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:28 < Concept-P> .32 20:28 < krzy> you connected samba server to vpn server on the same lan ? 20:28 < Concept-P> yes =) 20:28 < Concept-P> no problems. =) 20:28 < krzy> umm, not unless they are seperated by 2 routers 20:29 < krzy> !samelan 20:29 < vpnHelper> krzy: Error: "samelan" is not a valid command. 20:29 < krzy> !lan 20:29 < vpnHelper> krzy: "lan" is you can NOT run both endpoints of openvpn on the same LAN. 20:29 < krzy> i should make a writeup that explains why 20:29 < Concept-P> I got it to work with a test net. 3 computers, 1 vpn server, 1 samba server, 1 client. the samba server only listened on the tap interface. 20:30 < Concept-P> but that was with dynamic ips. 20:30 < krzy> anyways, did you try what i said? 20:30 < Concept-P> the routing part? 20:30 < krzy> no 20:30 < krzy> try commenting out the pool 20:30 < krzy> and add ifconfig 192.168.5.1 255.255.255.0 20:30 < krzy> to main server config 20:30 < krzy> and mode server 20:30 < Concept-P> oh right. 20:31 < Concept-P> just about to =) 20:34 < Concept-P> i only have the line #ifconfig-pool-persist conf/drmrp/ip_pool.txt 20:34 < Concept-P> well now commented out. =P 20:34 < krzy> ohhh 20:34 < krzy> ya thats no good 20:34 < krzy> paste me your server config 20:34 < krzy> but ya you def want that commented out 20:35 < krzy> btw after you connected samba server to openvpn server on the same lan, you could ping? 20:36 < Concept-P> I dont remember if I tried that. But I could use the samba shares. 20:37 < Concept-P> http://plu.nu/~concept/temp/ 20:37 < krzy> well cool 20:37 < vpnHelper> Title: Index of /~concept/temp (at plu.nu) 20:37 < krzy> what ive learned says it shouldnt work, but if you say it does, go for it 20:37 < Concept-P> as long as the client was connected to the vpn. if it wasnt the server dissapeared ;P 20:39 < krzy> ahh 20:40 < krzy> remove your push route 20:40 < krzy> thats unneeded as its the block your vpn uses 20:40 < krzy> pushing the route is for a route behind the vpn 20:41 < krzy> like if your clients were gunna access your lan 20:41 < krzy> i THINK your ifconfig in server.conf needs to be 192.168.5.1 255.255.255.0 20:42 < krzy> try that 20:42 < krzy> along with your ccd handing out the ips i said earlier 20:42 < krzy> if that doesnt work i want you to comment out the server line, and replace it with mode server 20:43 < ecrist> Dougy: what's up? 20:44 < ecrist> what's going on, folks? 20:45 < krzy> wassssup 20:46 -!- ChanServ changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copy over 5 lines. | Don't feed the trolls. 20:55 < Concept-P> krzy: oki, I try that. 20:57 < krzy> ecrist, tryin to help Concept-P get static ips working 20:58 < krzy> ive never had a reason to do that so any input of yours is welcome and even requested ;] 20:58 < Concept-P> ecrist: Im having problems =D 21:00 < Concept-P> krzy: the first option didnt work. and when I remove the server line I get an error: 21:00 < Concept-P> Options error: --ifconfig-pool-persist must be used with --ifconfig-pool 21:00 < Concept-P> and openvpn (server) wouldnt start 21:01 < krzy> umm, you commented ifconfig-pool-persist conf/drmrp/ip_pool.txt didnt you? 21:02 < Concept-P> krzy: yeah, but I put it back when you said it was a bad idea. Ill remove it again =D 21:02 < krzy> ohh i meant bad idea to have that line 21:02 < krzy> you will NOT want that line with static ips 21:02 < Concept-P> ahh =P 21:02 < Concept-P> woot!! =D 21:03 < Concept-P> ip on client1 is .49 =D 21:03 < krzy> i take it that made it work? 21:03 < krzy> sweet 21:03 < Concept-P> checking client2 21:03 < krzy> and it can access samba? 21:05 < krzy> or at least it can ping the server at .1? 21:05 < Concept-P> ping to .1 good. 21:05 < Concept-P> going to start the samba server in a couple of mins. =) 21:08 < krzy> werd 21:08 < krzy> would be cool if you get the time to make a writeup on openvpn with static ips for the wiki 21:08 < krzy> for the next guy 21:08 < krzy> its like sitting here helping everyone who has the same problems you had, but only takes a little time to do 21:09 < Concept-P> I have been thinking about how to thank you for helping me, so a writeup is the least I can do =) 21:09 < krzy> ya thats the best way 21:09 < krzy> saves me from ever manually helping someone with that stuff again =] 21:09 < Concept-P> krzy: if client1 had 49 as a ip the next useable would be 52? 21:10 < krzy> +4 21:10 < Concept-P> hehe =D 21:10 < Concept-P> 53 21:10 < Concept-P> air 21:10 < Concept-P> ait even 21:11 < krzy> and boom, im gone for a few hours 21:11 < krzy> when you see me back here, ill be drunk 21:11 < krzy> =] 21:11 < Concept-P> and client2 works! =D 21:11 < Concept-P> yeay! 21:11 < Concept-P> krzy: drink a couple for me too. ;) 21:31 -!- djs26 [n=djs@unaffiliated/djs26] has quit [Remote closed the connection] 21:37 -!- near [n=near@88-122-17-249.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has joined ##openvpn 22:51 < ecrist> Concept-P: did you get things working? --- Day changed Sun Aug 24 2008 00:11 < Concept-P> ecrist: yeah! =D 00:11 < Concept-P> ecrist: well. the vpn part anyway. now the samba server is fscking with permissions. but what the heck =) 00:12 < Concept-P> ecrist: I told krzy I would do a writeup of the whole thing for the wiki as a thank you =) 00:23 < SilenceGold> hrm 02:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:41 < ecrist> Concept-P: back for a bit - can't sleep, have a bad cold. 02:41 < krzee> werd 02:41 < krzee> i have beeping UPSs 02:42 < krzee> cause power had been out so long the power inverters that run on car batteries are out of juice 02:42 < krzee> if i suddenly disappear, the UPS hooked to my router/cablemodem is dead 02:42 < krzee> hehe 02:49 < Concept-P> haha =) 02:49 < Concept-P> ecrist: Im sorry to hear that =) 02:50 < Concept-P> well so far everything works as it should.. allmost.. =D 02:51 < Concept-P> krzee: does that mean you're drunk now? =) 02:51 < krzee> not fully 02:52 < krzee> my friends wanted to smoke and pulled me away too early to be drunk 02:53 < Concept-P> damn.. I think Im starting to get really tired.. I just uninstalled the samba server on the wrong machine. =P 02:53 < Concept-P> krzee: and you didnt want to smoke? 02:54 < krzee> hah im pretty blazef 02:54 < krzee> blazed 02:55 < Concept-P> haha =D 02:56 < Concept-P> =) 02:56 < Concept-P> no worries then =) 02:56 < krzee> !learn samba as http://openvpn.net/faq#samba-routing 02:56 < vpnHelper> krzee: The operation succeeded. 02:56 < krzee> !forget samba 02:56 < vpnHelper> krzee: The operation succeeded. 02:57 < krzee> !learn samba as http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge 02:57 < vpnHelper> krzee: The operation succeeded. 02:58 < Concept-P> hmm, maybe I should read that =P 02:58 < krzee> ;] 02:58 < krzee> except your vpn is already good 02:59 < krzee> and your clients can ping the machine with samba on it? 02:59 < Concept-P> yeah, and thats too simple for me =D 03:01 < Concept-P> krzee: yeah. I can access the samba server just fine. loggin in is not a problem. the problem Im having now is permissions within the share. atm I got in though. tailing logs and stuffs to find out why it sometimes doesnt work =) 03:01 < krzee> ahh 03:01 < krzee> i guess the only useful part of that is how to mount the samba share from commandline / batch file 03:01 < krzee> net use g: \\192.168.1.5\Daten /USER:user1 <-- your account on samba!! 03:02 < krzee> if that command has a PASS flag, you can make openvpn start it 03:02 < Concept-P> krzee: yeah, but I reconnect the share on boot =) 03:02 < krzee> cant reconnect the share if not on vpn 03:02 < ecrist> blarg, I need to update the freebsd howto one of these days 03:03 < krzee> it doesnt seem overly fbsd dependant 03:03 < ecrist> Concept-P: did you get your static IPs working? 03:04 < Concept-P> ecrist: yes I did =) 03:04 < ecrist> good. 03:04 < Concept-P> finally =) 03:05 < Concept-P> I think all the clients are uppdated now. =) 03:05 < ecrist> what problems were you running in to? 03:05 < Concept-P> ecrist: now? samba permissions on folders within a share =P 03:05 < ecrist> no, with static IPs. 03:05 < Concept-P> and a stupidass software issue. 03:06 < krzee> ecrist, 03:06 < krzee> here was his conf: http://plu.nu/~concept/temp/drmrp.conf 03:06 < Concept-P> ecrist: no problems at all with the static ips, or openvpn at all. =) 03:06 < krzee> and he had ccd/ entry giving ips 03:06 < krzee> had him lose: ifconfig-pool-persist conf/drmrp/ip_pool.txt 03:07 < krzee> oh wait that was twords the end 03:07 < krzee> before that we had to lose the server ip command 03:07 < ecrist> there's no ccd entry in that server config. 03:08 < Concept-P> hmm. 03:08 < krzee> o_O thats true 03:08 < krzee> ... thats weird 03:09 < krzee> erm, and whys it say dev tap! 03:09 < Concept-P> I can up the working conf in a sec. the computer kinda hung.. and the vpn went down.. Im not sure why. 03:09 < krzee> HAH thats why its working! 03:09 < krzee> its a bridged setup 03:10 < krzee> (one of his clients is on the same LAN as the server, and it is working) 03:10 < krzee> was trippin me out 03:10 < krzee> can you post your current config? 03:11 < krzee> you have a tcp bridge, should at least make it udp 03:12 < Concept-P> krzee: its changed to udp now =) 03:12 < ecrist> why do you have a local client connecting to the vpn? 03:15 < Concept-P> there. now the current conf is in that dir. called new.conf 03:16 < Concept-P> ecrist: I dunno. maybe thats why it wasnt working? =P 03:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:21 < ecrist> Concept-P: connecting to a VPN from the same network is asking for problems. 03:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:22 < Concept-P> ecrist: heh, it sounds kinda obvious when you put it that way =D 03:22 < krzee> what did i miss there? 03:22 < krzee> [04:12] why do you have a local client connecting to the vpn? 03:22 < krzee> [04:22] ecrist: heh, it sounds kinda obvious when you put it that way =D 03:22 < krzee> sounds like 10min of info, lol 03:23 < ecrist> krzee: nothing. 03:23 < krzee> ecrist, did you see SilenceGold's solution for Dougy? 03:24 < krzee> !/30 03:24 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 03:24 < ecrist> krzee: yeah, I knew that. I told him to do that yesterday 03:24 < Concept-P> =D 03:25 < krzee> hah i missed it 03:25 < Concept-P> damn. I need to optimize samba. =P 03:26 < krzee> or it rolled off me, i thought we had both said he needed to waste more ips 03:33 < ecrist> yep, around 14:21 my time, I told him to use beta. 03:33 < krzee> ahh cool 03:34 < krzee> which tz ya in anyways? 03:34 < krzee> im -5 (EST) 03:34 < ecrist> -6 03:34 < krzee> ahh werd 03:39 < krzee> ok Concept-P 03:39 < krzee> thats why you got ip .3 03:39 < krzee> and you can choose any IP # btw 03:39 < krzee> cause you arent using routed 03:39 < krzee> lol 03:39 < krzee> you have a bridge 03:40 < Concept-P> ahh oki. 03:40 < krzee> tun devices encapsulate IPv4 while tap devices encapsulate ethernet 802.3. 03:41 < Concept-P> well, everything is working now. so Im not touching it! =P 03:41 < krzee> thats why i was so confused about yout client being on the same lan and working, and about the .3 03:41 < krzee> ya, might as well leave it alone 03:41 < krzee> heheh 03:41 < Concept-P> even the crap software they are using. =D 03:42 < Concept-P> first of all its 16bit software.. ! 03:42 < Concept-P> and it doesnt have tcp/ip support.. it needs to have a mounted share to run =P 03:43 < krzee> heh 03:43 * ecrist gets groggy and goes to sleep 03:43 < krzee> 'nite ecrist 03:43 < Concept-P> nite =) 03:44 < Concept-P> (or good day here) =D 03:44 < Concept-P> I want to go to sleep too. =/ 04:24 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 04:26 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 04:48 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 05:59 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 06:00 -!- Usiu [n=mateusz@72.81.datacomsa.pl] has joined ##openvpn 06:00 < Usiu> HI 06:00 < Usiu> is there any GUI for server configuration? 06:01 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 06:02 < Concept-P> Not to my knowlage =) 06:03 < Usiu> that sucks 06:03 < Concept-P> maybe, maybe not. with a gui, you're kinda stuck with certain options. =) 06:04 < Usiu> Concept-P: but its simple and works 06:04 < Usiu> Concept-P: and is fast 06:04 < Usiu> Concept-P: you dont have to be a openvpn developer to set it up 06:05 < Usiu> Concept-P: or Linux system administrator with over year of pratice in doing this stuff 06:05 < Concept-P> Im not a developer and I got one working.. (with a couple of hours help from people here) But I had a special case too =P 06:05 < Usiu> it just mean that new users can't do it 06:06 < Concept-P> Usiu: a simple setup? tried the example scripts that come along with openvpn? 06:06 < Usiu> Concept-P: yes 06:06 < Usiu> Concept-P: but I am not sure how to use them anyway 06:07 < Usiu> I dont have time to spend on setting such a simple thing like vpn 06:07 < Usiu> it should take 4-10min 06:07 < Usiu> not couple of hours 06:07 < Concept-P> heh 06:08 < Concept-P> Usiu: the example scripts should work out of the box if you generate the certificates =) 06:09 < Usiu> Concept-P: generating certificates it another thing 06:09 < Usiu> is there something like shared password in VPN ? 06:09 < Usiu> or pam authentication ? 06:10 < Concept-P> well.. the certificates are like shared encrypted password files. =) 06:12 < Usiu> Concept-P: If I had to choose between poping out dialog asking for password and file selection dialog to select file with password. I would choose first solution. When it comes to openvpn its not even the second one. Because you have to generate them and provide somewhere manualy and this is a lot of pain in most cases as openssl versions or whatever tool is used are diffrent. 06:14 < Concept-P> Usiu: with almost all encryption states you need to generate something.. with a gui or not. 06:15 < Usiu> Concept-P: but most of tools I use do it automaticaly (transparently) or use a gui for it. Even pidgin does it automaticaly. 06:16 < Concept-P> Usiu: it isnt hard to run the easy-rsa scripts... 06:17 < Usiu> Concept-P: is there any non encrypted vpn setup ? 06:19 < Concept-P> Usiu: yes, but I dont know how to do that =D 06:20 < Concept-P> Usiu: you just need to link two networks together? no need for security? 06:20 < Usiu> yes 06:21 < Usiu> its over internet so I dont really care 06:21 < Usiu> moreover data exchanged are not so important 06:22 < Concept-P> Usiu: what kind of data need to be exchanged? 06:24 < Usiu> Concept-P: pdf, music, photos 06:25 < Usiu> Concept-P: also I want someone to use my local printer 06:25 < Concept-P> Usiu: like a windows share? 06:25 < Usiu> Concept-P: yes, I want to run samba on that network 06:27 < Concept-P> Usiu: shares can be used over the internet without vpn. (not recomended though, for security reasons) =) 06:29 < Usiu> Concept-P: but configuration is already for local network 06:29 < Usiu> Concept-P: so I want to keep it this way 06:29 < Usiu> Concept-P: so I does not matter where I am 06:30 < Usiu> Concept-P: if I come back to network, or I am at home printer would have the same addres 06:30 < Usiu> which is local address 06:31 < Concept-P> Usiu: does the share have a external ip? (or is it possible to forward a port to the samba server?) 06:32 < Concept-P> in that case, just connect with the external ip ie: \\81.100.123.3\sharename 06:33 < Usiu> Concept-P: yhm 06:33 < Usiu> ok thanks 06:34 < Concept-P> Usiu: dont thank me, I just told you how to open a backdoor to your system... its better to have security =) 06:34 < Usiu> I dont really care about security :) 06:35 < Usiu> unless someone is damaging my filesystem with /dev/urandom garbage:P 06:36 < Concept-P> heh oki. =P 06:36 < Usiu> Concept-P: heh http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 06:36 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 06:37 < Usiu> Concept-P: is static.key the same thing as shared key ? 06:38 < Concept-P> Usiu: hmm, now youre asking me things Im not sure of. But since both client and server need the same key file, I would say its shared =D 06:39 < Concept-P> But Im guessing =) 06:59 -!- xybre [n=xybre@bb4win/users/fluffy] has joined ##openvpn 07:05 -!- Usiu [n=mateusz@72.81.datacomsa.pl] has quit ["Ex-Chat"] 07:17 -!- xybr3 [n=xybre@bb4win/users/fluffy] has quit [Read error: 110 (Connection timed out)] 08:35 < ecrist> that god he left. 09:17 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 09:52 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has quit [Read error: 60 (Operation timed out)] 09:58 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has joined ##openvpn 11:42 < Dougy> ecrist! 11:42 < Dougy> Are you still there? 11:55 < Dougy> Damn it. 11:56 * Dougy pokes krzee 11:57 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 12:07 < krzee> hey 12:08 < Dougy> yooo krzee 12:08 < krzee> dougy, ecrist and SilenceGold had your solution 12:08 < Dougy> mIRC cleared the window on me so i missed what was said last night when i left 12:08 < krzee> !/30 12:08 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 12:08 < krzee> you want #2 12:08 * Dougy loads 12:09 < Dougy> that looks excellent 12:09 < Dougy> IMHO that is far better than a /30 per client 12:09 < Dougy> Don't you agree? 12:11 < krzee> very much so 12:11 < krzee> which is why i let ya know bout it =] 12:11 < krzee> its exactly what you want 12:18 < Dougy> yup 12:18 < Dougy> I think that should be come standard in OpenVPN 12:18 < Dougy> I have bookmarked that as well 12:18 < Dougy> Its from 2005 :| 12:28 < krzee> just upgrade 12:28 < krzee> i use that version anyways 12:29 < Dougy> hm 12:29 < Dougy> ill have to read more after i repair this serve 12:29 < Dougy> r 12:29 < krzee> OpenVPN 2.1_rc9 -- released on 2008.07.31 12:29 < krzee> use that version 12:30 < krzee> Windows Vista-ready on both x86 and x64. 12:30 < krzee> OpenVPN GUI is now packaged in the Windows installer. 12:30 < krzee> topology subnet feature, allowing intuitive tun-based VPN subnets having 1 IP address per client. 12:30 < krzee> TAP-Win32 adapter can now be opened from non-administrator mode. 12:31 < krzee> !learn betaman as http://www.openvpn.net/man-beta.html 12:31 < vpnHelper> krzee: The operation succeeded. 12:31 < krzee> !menu 12:31 < vpnHelper> krzee: "menu" is !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push 12:31 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push 12:31 < vpnHelper> krzee: The operation succeeded. 12:31 < krzee> !forget menu 1 12:31 < vpnHelper> krzee: The operation succeeded. 12:33 < krzee> i forget if it was you or Concept-P whose boss said that openvpn gui had a security issue 12:33 < krzee> but [13:30] TAP-Win32 adapter can now be opened from non-administrator mode. 12:33 < krzee> may make him happy 12:33 < Dougy> it was my boss 12:34 < krzee> also, if whatever hes talking about is true he should let mathias know 12:34 < Dougy> k 12:34 < Dougy> i need to look into the single ip soon 12:34 < Dougy> soon as I finish chewing out this customer 12:34 < Dougy> douchebag 12:34 < krzee> lol 12:34 < Dougy> hes hosting a 200+ concurrent user vB site 12:34 < Dougy> on a P4 3.0 12:35 < Dougy> with 1 GB RAM and an IDE drive 12:35 < Dougy> "I want SLA credits because my server keeps going down and overheating." 12:35 < Dougy> NO DUH, DIP SHIT. 12:35 < Dougy> jeez 12:35 < krzee> lol 12:35 < Dougy> and he wont upgrade 12:35 < Dougy> "This P4 should be able to handle 400 online no problem" 12:35 < krzee> bahah 12:35 < krzee> enjoy that 12:35 < Dougy> I actually started laughing at him 12:35 < krzee> 400 users viewing a test file ;] 12:35 < Dougy> I said "We have sites with 400 online and they have a 5 server cluster to handle it" 12:35 < Dougy> lol 12:39 < Dougy> er krzee 12:39 < Dougy> the beta link on that is bad 12:39 < Dougy> the download link on osdir 12:40 < krzee> [13:30] TAP-Win32 adapter can now be opened from non-administrator mode. 12:40 < krzee> oops 12:40 < krzee> http://sportsillustrated.cnn.com/2008/olympics/2008/08/23/taekwondo.ban.ap/index.html 12:40 < vpnHelper> Title: Cuban athlete banned for life after kicking taekwondo ref - 2008 Olympics - SI.com (at sportsillustrated.cnn.com) 12:40 < krzee> dont download from very old link on a mail list 12:40 < krzee> download from openvpn.net 12:41 < krzee> !learn download as http://www.openvpn.net/index.php/downloads.html 12:41 < vpnHelper> krzee: The operation succeeded. 12:41 < Dougy> just the latest beta? 12:41 < Dougy> ahaha 12:41 < Dougy> 2_1 12:41 < Dougy> duh 12:41 < Dougy> right on 12:41 < krzee> [13:29] OpenVPN 2.1_rc9 -- released on 2008.07.31 12:41 < krzee> [13:29] use that version 12:41 < Dougy> righto 12:42 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 12:42 < vpnHelper> krzee: The operation succeeded. 12:42 < Dougy> krzee: for the most part will my config work 12:42 < krzee> !forget menu 1 12:42 < vpnHelper> krzee: The operation succeeded. 12:42 < Dougy> the old one 12:42 < Dougy> or do i need to redo 12:42 < krzee> i believe so, if not show us the error 12:42 < krzee> no dont redo 12:42 < Dougy> okay 12:42 < Dougy> do you use rc9? 12:42 < krzee> i do 12:48 < Dougy> nice 12:48 < Dougy> someone here a while back told me against it, i don't recall who 12:51 < Dougy> oh krzee one more question 12:51 < Dougy> is there a safe way to install 2.1 over 2.0? like, i compiled 2.0 from source 12:51 < Dougy> i cant just recompile 2.1 over it, can i>? 12:54 < Dougy> :( 12:57 < Dougy> aha got it 13:04 < Dougy> krzee it works! 13:04 < Dougy> :D:D:D 13:04 < Dougy> 172.16.0.1 and .0.2 13:04 < Dougy> :D 13:05 < SilenceGold> :) 13:05 < Dougy> SilenceGold: Thank you. :) 13:05 < Dougy> Now I can use a /29 again if I want. Heh. 13:05 < SilenceGold> heh 13:05 < Dougy> I think that should be the mainstream and you should have to configure it to use a /30 instead 13:05 < Dougy> I think that should be the mainstream and you should have to configure it to use a /30 instead of the other way around* 13:19 < krzy> Dougy, im sure that will end up being the case 13:19 < krzy> remember, its still a beta feature... 13:19 < Dougy> Seems to work stable for me with 9 clients 13:19 < Dougy> lol 13:20 < krzy> yup 13:20 < krzy> in openvpn beta usually doesnt mean unstable 13:20 < krzy> just means relaticely untested, as compared to the other stuff 13:21 < krzy> relatively 13:21 < Dougy> nod 13:21 < Dougy> so what did you think of my security doc idea 13:21 < krzy> same as yesterday 13:21 < Dougy> i see ecrist was awake 13:21 < Dougy> did he mention anything 13:22 < krzy> dont think he saw that idea 13:22 < krzy> he tried to respond to your asking him to respond, but you werent in 13:30 < Dougy> :( 13:30 < Dougy> ecrist: whne you're here (if its within the next 5 and a half ours, pm me) 14:42 -!- gallatin [n=gallatin@dslb-088-077-069-255.pools.arcor-ip.net] has joined ##OpenVPN 14:59 < krzy> *bored( 15:00 < Dougy> lol 15:00 < Dougy> same 15:14 < Dougy> wow 15:14 < Dougy> krzy 15:14 < Dougy> this is incredibly cool 15:14 < Dougy> lol 15:14 < krzy> yoh 15:14 < krzy> ? 15:14 < Dougy> linking you 15:14 < Dougy> hold 15:15 < Dougy> http://www.speedtest.net/result/313242699.png 15:15 < Dougy> thats through my VPN 15:15 < Dougy> lo 15:15 < Dougy> l 15:15 < krzy> shit 15:15 < krzy> nice man 15:15 < Dougy> hahah 15:15 < Dougy> well 15:15 < Dougy> i'm on a work line here in the company office 15:15 < Dougy> its about 200 Mbps when not VPN'd 15:15 < Dougy> so 15:16 < Dougy> lol 15:16 < krzy> how many hops from server? 15:17 < Dougy> one mom 15:17 < Dougy> 3 15:17 < Dougy> lol 15:17 < krzy> 3 hops away!? 15:17 < Dougy> yes 15:17 < Dougy> it goes from office down to the DC 15:17 < Dougy> my server is in the same rack as the office router 15:17 < Dougy> lol 15:17 < krzy> so the DC has less BW than the office? 15:18 < Dougy> the bw for hte office comes from the DC 15:18 < Dougy> :| 15:18 < Dougy> hold on 15:18 < Dougy> now doing speedtest on office non-vpn 15:18 < Dougy> its a bit sluggish today 15:18 < Dougy> infact 15:18 < Dougy> extremely 15:18 < Dougy> lol 15:19 < Dougy> http://www.speedtest.net/result/309922257.png 15:19 < Dougy> that's the norm 15:20 < Dougy> haha 15:20 < Dougy> thats the priv network in the office for OS reloads.. my desk's connection is different 15:20 < Dougy> sec 15:21 < Dougy> its much slower :p 15:21 < Dougy> http://www.speedtest.net/result/313244829.png 15:23 < krzy> werd 15:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 15:29 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:29 -!- gallatin [n=gallatin@dslb-088-077-069-255.pools.arcor-ip.net] has quit ["Client exiting"] 15:32 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has joined ##openvpn 16:11 -!- Dougy [n=doug@64.18.159.247] has quit [Nick collision from services.] 16:11 -!- Dougy [n=doug@64.18.159.247] has joined ##openvpn 16:11 < Dougy> ffs 16:20 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has joined ##openvpn 16:21 < st1650> I have openvpn installed on a client on ip 10.0.0.2. Router and DHCP server is on 10.0.0.1 I can connect remotely and get an ip in the 10.0.0.x range but I can't ping anything ... is the problem on the client or the router side ? 16:22 < krzy> routed or bridged? 16:23 < st1650> humm hold on .. 16:23 < krzy> tun or tap 16:23 < st1650> tap 16:23 < st1650> it worked fine before ... I was the the 192.168.x subnet 16:24 < st1650> But in the migration to 10.0.0.x now I'm stuck ... 16:24 < krzy> ya im not too familiar with tap 16:24 < krzy> i take it you're doing windows filesharing or LAN gaming? 16:24 < st1650> Yes and no ... 16:25 < st1650> It mostly for when I'm remote (internet cafe, hotels, etc) 16:25 < krzy> well ya, yes to either is a good reason for a bridge 16:25 < krzy> !bridge 16:25 < vpnHelper> krzy: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where the (1 more message) 16:25 < krzy> !more 16:25 < vpnHelper> krzy: protocol uses MAC addresses instead of IP addresses. 16:25 < st1650> I'd rather not touch the conf now since it was working fine before ... 16:25 < Dougy> Tun <3 16:25 < krzy> well if you arent using one of what i mentioned, you dont want a bridge 16:26 < krzy> more overhead, harder setup, opens you up to MITM arp attacks if someone gets into any part of the bridged lan 16:27 < krzy> so if you arent using any protocols that use MAC address instead of IP, im happy to help you get to a tun setup 16:27 < st1650> Ok .. sure .. want to see my config file ? 16:27 < krzy> otherwise, im unable to help with the bridge setup as i dont play games or use win filesharing 16:28 < krzy> sure 16:28 < krzy> !configs 16:28 < vpnHelper> krzy: "configs" is please pastebin your client and server configs (with comments removed), also include which OS and version of openvpn. 16:30 < st1650> Server (Linksys wrt54gl running DD-WRT on 10.0.0.2 ip address, router is running tomato on 10.0.0.1) http://pastebin.ca/1183724 16:30 < st1650> Client: Windows XP: http://pastebin.ca/1183725 16:31 < krzy> !router 16:31 < vpnHelper> krzy: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 16:31 < krzy> that will matter if you run into ANY errors 16:31 < krzy> but not important yet as we dont have any problems yet 16:31 < st1650> ok 16:31 < krzy> still, make sure you know how to turn on logging 16:31 < st1650> ok 16:32 * krzy loves the bot 16:32 < krzy> !sample 16:32 < vpnHelper> krzy: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:33 < krzy> anything special to your setup? need access to lans behind server and or client? 16:33 < krzy> sounded like road warrior setup so im guessing only want access to lan behind server, unless you're just trying to change your default route (or both) 16:34 < st1650> needs to run on port 53 UDP ... other than that, normal setup .. 16:34 < krzy> nice 16:34 < st1650> ¸< 16:34 < krzy> ok so no access to lan behind the server? 16:34 < st1650> oups 16:34 < st1650> cat 16:35 < krzy> and no access to inet through your vpn? 16:35 < st1650> well yeah id like to access my routers and servers from outside 16:35 < krzy> and will you be routing traffic bound for the inet over the vpn? 16:35 < krzy> or just to access your lan?> 16:35 < st1650> access my lan 16:35 < krzy> k 16:36 < krzy> lan is 10.0.0.0/24 16:36 < st1650> yup 16:36 < krzy> duplicate-cn # Allow multiple clients with the same common name 16:36 < krzy> do not use that 16:36 < krzy> like, ever 16:36 < st1650> ok 16:37 < Dougy> krzy: someone told me to enable that yesterday 16:37 < Dougy> lo 16:37 < Dougy> l 16:37 < krzy> Dougy, who? 16:37 < Dougy> er 16:37 < Dougy> maybe the day before 16:37 < Dougy> I think it was ecrist actually 16:37 < krzy> maybe he only meant for testing 16:38 < Dougy> n 16:38 < krzy> thats all its good for 16:39 < krzy> st1650, your setup is very basic 16:39 < ecrist> sup, guys? 16:39 < krzy> you basically just want my sample configs 16:39 < krzy> remove my client-config-dir entry 16:39 < ecrist> krzy: not really. :\ 16:39 < krzy> and add push route for 10.0.0.0/24 16:40 < ecrist> for example, you can give it to a user who may have more than one machine. 16:40 < krzy> ecrist, not really what? 16:40 < Dougy> ecrist!!!!!! 16:40 < Dougy> Can I PM you, I want to ask you something, but I dont wanna interfere with krzy here 16:40 < st1650> krzy: Could you edit it ? I'm not sure how to push routes 16:40 < krzy> 1sec 16:40 < krzy> !route 16:40 < vpnHelper> krzy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 16:40 < ecrist> Dougy: sure, I guess. 16:41 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 16:42 < Dougy> pm sent 16:44 < krzy> ecrist, were you saying not really about the duplicate-cn thing? 16:44 < ecrist> krzy: yes 16:44 < krzy> because even openvpn.net says it should only be used for testing 16:44 < krzy> and is not recommended for real life usage 16:45 < krzy> more certs should be made when more clients are desired 16:45 < ecrist> krzy: there are real-world situations where they can be useful. 16:45 < krzy> more useful than simply creating another cert? 16:46 < ecrist> krzy, I've gone to issuing certs for every client, however, I only do it so each certificate can have their own static IP. 16:46 < ecrist> before I was issuing statics, I didn't care how many client connections were coming in for each certificate. 16:47 < Dougy> erk chest pain :S brb 16:47 < st1650> krzy: ERROR : Dev tun also requires ifconfig 16:49 < krzy> 1sec 16:49 < st1650> strange ... 16:49 < st1650> it didn't save 16:49 < st1650> hold on 16:49 < krzy> ecrist, in your example your reasoning is only laziness, not actually making anything better 16:50 < krzy> whereas to disallow the cert when already logged in is slightly better 16:50 < ecrist> i disagree 16:50 < Dougy> I cant believe I lol at IRC arguements 16:52 < krzy> you disagree that it was only for laziness or that theres slightly more security in not letting someone use your cert while you are already using it? 16:52 < krzy> dont get me wrong, im sure im lazier than anyone else 16:52 < krzy> im quite lazy ;] 16:52 < st1650> krzy: testing from remote ... brb 2min 16:52 < ecrist> krzy: I don't see anything wrong with giving a user one certificate for use on multiple machines. 16:52 < krzy> st1650 1sec 16:53 < krzy> ecrist, til someone gets their hands on it 16:53 < ecrist> it's no more difficult to turn off... 16:54 < ecrist> regardless, a VPN isn't the *only* security protocol in place on any network run by a competent admin. 16:54 < krzy> that is true, but ild rather they not even be able to get in while i find out i need to add it to CRL 16:54 < krzy> very true 16:54 < krzy> im just agreeing with the devs 16:54 < ecrist> tbh, the network at my work could be opened up to the world, and would be virtually as secure. 16:55 < krzy> or at least whoever made openvpn.net 16:55 < ecrist> krzy: don't agree with them just because they wrote a useful piece of software. Unless you're a sheep. 16:56 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has quit [Read error: 104 (Connection reset by peer)] 16:57 < krzy> using suggested security by the authors is being a sheep? 16:58 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has joined ##openvpn 16:58 < st1650> back 16:59 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 16:59 < ecrist> krzy: agreeing with them simply because they said so, is being a sheep. 16:59 < krzy> http://pastebin.ca/1183749 17:00 < krzy> for st1650 17:00 < st1650> krzy: looks like what I have ... hold on im testing remotely .. 17:02 < krzy> my client config isnt for windows, so may be a slight edit to that 17:02 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has quit [Read error: 104 (Connection reset by peer)] 17:02 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has joined ##openvpn 17:02 < st1650> nope doesn't work 17:02 < krzy> my client config isnt for windows, so may be a slight edit to that 17:02 < krzy> !logs 17:02 < vpnHelper> krzy: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:02 < st1650> It connects fine, gets the ip address but I can't ping anything 17:06 < Dougy> sec let me look 17:06 < Dougy> url to config? 17:06 < st1650> same problem as before, when I was in tap mode ... 17:06 < st1650> I'm running out of time .. Ill be back 17:06 < st1650> thanks for the help 17:07 < Dougy> url to config? 17:09 < krzy> when you come back bring logs ps 17:09 < krzy> pls 17:09 < krzy> and we'll getchya up 17:11 < krzy> and Dougy, im not really arguing with ecrist, we just have diff veiwpoints on that and since i see him a lot here and we both dish out a bit of help i wanted to see why he would recommend duplicate-cn over just amking more configs 17:11 < krzy> making 17:11 < krzy> but its really not a big deal, not like he's saying to leave out tls-auth or anything that really matters 17:12 < ecrist> krzy: to clarify, my advice was to create two different certificates, or at the very least, enable duplicate-cn 17:12 < krzy> ahh 17:12 < krzy> ok ya i read that different than what i thought it was 17:13 < krzy> assumption... 17:13 < krzy> heh 17:13 < krzy> !learn assumption as the mother of all F***ups 17:13 < vpnHelper> krzy: The operation succeeded. 17:13 < krzy> ;] 17:14 < krzy> btw ecrist, did you see !menu? 17:14 < krzy> it doesnt update itself so when i add something i update menu, have tried to add everything i could remember to it 17:17 < krzy> !menu 17:17 < vpnHelper> krzy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 17:20 < ecrist> krzy: would possibly be better if !menu was replied via PM. 17:20 < krzy> not an option, also not as helpful for anyone who sees !menu and notices a topic they may want to read 17:21 < krzy> well not an option unless you code python 17:21 < ecrist> I don't code python, but I'm sure it's not that hard. 17:21 < ecrist> I do code perl, though. 17:22 < krzy> just yesterday i was editing the menu and someone found something in it they wanted to read 17:22 < krzy> although i think it was just !insanity, lol 17:28 < krzy> oh and Dougy was hoping we could make a writeup on openvpn security implimentation, like overveiw from !secure + details and examples 17:28 < krzy> it sounds like a long writeup, was curious if you had any interest in helping with it if i started working on it next time im bored enough 17:29 < krzy> on the wiki 17:31 -!- xybre [n=xybre@bb4win/users/fluffy] has quit ["Leaving"] 17:31 < ecrist> I have interest, but often no time. 17:31 * ecrist goes away for a bit. 17:31 < krzy> ya i hear ya 17:32 < krzy> los vemos 17:37 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:51 -!- kaynine [i=5684dc5d@gravity.spherecarrier.org] has quit ["later gang; keep up the good work :)"] 17:54 < krzy> !betaman 17:54 < vpnHelper> krzy: "betaman" is http://www.openvpn.net/man-beta.html 17:55 < krzy> have any of you played with --port-share in beta yet? 17:56 < krzy> it looks really cool 18:06 < Dougy> negative 18:06 < Dougy> Hm krzy 18:06 < Dougy> Is there an official "openVPN" forum? 18:06 < Dougy> Like one dedicated to it 18:06 < krzy> not that i know of 18:07 < Dougy> hmmm 18:07 * Dougy has a lightbulb in his head 18:07 < Dougy> : 18:07 < Dougy> :O* 18:08 < krzy> if one is created ill add !forum and signup, like we recently did with ecrist's wiki 18:20 < Dougy> I'll help create one 18:20 < Dougy> but 18:20 < Dougy> I don't know enough to admin it myself 18:20 < Dougy> (HINT) 18:20 < krzy> hehe 18:20 < krzy> ill cruise through and answer ?'s 18:20 < Dougy> If you want to help and maybe ecrist too I'll put it together 18:21 < krzy> maybe even add a forumfeed for the chan 18:21 < Dougy> can i PM to discuss more? 18:21 < krzy> if we decide the forumfeed isnt annoying 18:21 < Dougy> i don't wanna give anyone any golden ideas ;) 18:21 < krzy> if you want, but we can just talk in here too, either way 18:26 < krzy> and if you dont wanna renew it cause it doesnt get used, you only lose $8 18:33 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 19:04 -!- Dougy is now known as Dougy|Work 19:39 < Dougy|Work> damn it' 19:39 < Dougy|Work> ughhhhhhhhhhhhhhhh 20:31 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:41 * Dougy stabs ecrist 20:41 < Dougy> SilenceGold: 20:41 < Dougy> hi 20:41 < SilenceGold> hi 20:42 < Dougy> hihi 20:42 < Dougy> thanks again for the help 20:42 < SilenceGold> all working good? 20:43 < Dougy> thumbs up 20:43 < Dougy> now i got 172.16.0.1 .2 .3 .4 20:43 < SilenceGold> heh 20:43 < Dougy> Danke :) 20:43 < SilenceGold> the fun part is graphing the traffic being used per client 20:43 < SilenceGold> I got it working in cacti now :) 20:44 < Dougy> dude 20:44 < Dougy> that's sick 20:44 < Dougy> i wouldn't even know where to look, honestly 20:44 < SilenceGold> have you used cacti? 20:44 < Dougy> of course i have 20:44 < Dougy> :) 20:44 < Dougy> I do cacti installs on a daily basis 20:44 < SilenceGold> okay 20:45 < SilenceGold> then just look into openvpn's management port 20:45 < SilenceGold> you can write a script that will telnet to that port to get the stats 20:45 < Dougy> Down the road :) Not tonight 20:45 < SilenceGold> then parse it into readable for the cacti 20:45 < Dougy> haha 20:45 < Dougy> like I can script 20:45 < SilenceGold> I just gave you hints on how you can do it 20:45 < Dougy> you're funny :) 20:45 < SilenceGold> it is expected for you to know how to script 20:45 < SilenceGold> learn then 20:45 < Dougy> script what? 20:45 < Dougy> bash? 20:46 < SilenceGold> any 20:46 < SilenceGold> almost any scripting language can do it 20:46 < Dougy> ah 20:46 < Dougy> okay 20:46 < Dougy> Ill look into it. 20:46 < SilenceGold> python, csh, sh, bash, php 20:46 < Dougy> SilenceGold: did you see my idea of the openVPN forum? 20:46 < SilenceGold> even perl 20:46 < Dougy> could Perl 20:46 < SilenceGold> Dougy yea 20:46 < Dougy> ha 20:46 < Dougy> I'm learning PHP and Perl 20:46 < Dougy> well trying to 20:46 < Dougy> what do you think of the idea, SilenceGold? 20:46 < Dougy> you're probably gonna say its gonna flo 20:46 < Dougy> p 20:47 < SilenceGold> yea it will 20:47 < SilenceGold> you need enough traffic 20:47 < SilenceGold> it'll get overwhelmed by newbies with routing problems thinking it's openvpn's problem 20:47 < SilenceGold> I think that the wiki is the best solution 20:47 < SilenceGold> with the best FAQ list available 20:48 < Dougy> Yeah 20:48 < Dougy> Probably 20:48 < Dougy> It's worth a shot though :) 20:48 < SilenceGold> your big problem with the forums is getting enough people to help 20:48 < Dougy> yep 20:50 < ecrist> what's up, folks? 20:50 < Dougy> sup ecrist 20:50 < Dougy> :) 20:51 < ecrist> fwiw, I can host a forum, but have little desire to admin it. 20:52 < Dougy> er 20:52 < Dougy> i suck at e-speak 20:52 < Dougy> what's "fwiw" 20:52 < Dougy> ? 20:52 < ecrist> For What It's Worth 20:52 < Dougy> oh 20:52 < Dougy> I have plenty of time to waste 20:52 < Dougy> cleaning it up and running it 20:52 < Dougy> i just will need some people to help the newbies :p 20:52 < Dougy> erm ecrist does www.ovpnforum.com load for you 20:53 < ecrist> negative 20:53 < Dougy> what the f 20:53 < Dougy> :| 20:54 < Dougy> wow 20:54 < Dougy> my ISP SUCBBBBBBKS 20:54 < Dougy> .. 20:54 < Dougy> SUCKS******** 20:54 < Dougy> traceroute to ovpnforum.com (64.18.144.145), 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 23.315 ms 68.946 ms 79.948 ms 2 10.68.0.1 (10.68.0.1) 115.312 ms 152.560 ms 171.412 ms 20:54 < Dougy> woo. 20:55 < SilenceGold> you're hosting it at home? 20:55 < SilenceGold> it looks like it's the domain lookup failing 20:56 < Dougy> no, i'm not hosting it at home 20:56 < Dougy> it's in the DC at work 20:56 < Dougy> those were just the first 2 hops of the traceroute 20:56 < Dougy> lol 20:56 < Dougy> 100 ms latency inside my LAN 20:56 < Dougy> how nice 20:56 < ecrist> well, whatever you guys decide to do, let me know, or not. I'm not the boss or anything. 20:56 * Dougy nods 20:56 < Dougy> I need to figure out why named is screwed up 20:56 < Dougy> but its only for that one domain 20:56 < Dougy> :S 20:57 < ecrist> ns1.bergenhosting.com is resolving just fine. 20:58 < Dougy> should be .net 20:58 < ecrist> as is ns2 20:58 < ecrist> erm yeah, nsX.bergenhosting.net 20:58 < Dougy> .com is old and outdated 20:58 < Dougy> yeah 20:58 < Dougy> all the other sitse on the server resolve too.. 20:58 < Dougy> sites 20:58 < Dougy> such as www.pulserepair.com 20:59 < Dougy> something is miserably wrong with my server 20:59 < Dougy> what the frickin hell 20:59 < ecrist> Dougy: your colo sucks balls. 21:00 < Dougy> apparently so 21:00 < Dougy> our network has been fucked up the last 3 days 21:00 < Dougy> am i going to get banned if i curse again? 21:00 < ecrist> http://pastebin.com/m5035f06a 21:01 < ecrist> hrm, depends. 21:01 < Dougy> dude 21:01 < Dougy> i'm going to kill my boss 21:01 < Dougy> he goes on vacation when our network starts to mess up 21:01 -!- mode/##openvpn [+o ecrist] by ChanServ 21:01 < Dougy> and ecrist, please don't ban me for this 21:01 < Dougy> but 21:01 < Dougy> WHAT THE FUCK IS GOING ON!?!? 21:01 < Dougy> ughhhhhhhh 21:02 < Dougy> this isn't fair 21:02 < SilenceGold> uh where are the trolls 21:02 < Dougy> :( 21:02 < SilenceGold> I want to feed some 21:02 < Dougy> haha 21:02 < Dougy> well 21:02 -!- mode/##openvpn [-o ecrist] by ecrist 21:02 < ecrist> lol 21:02 < Dougy> it's time to move the site to somewhere that's not complete garbage 21:02 < Dougy> i can't believe that i'm saying that about my employer 21:02 < SilenceGold> Dougy sign up for my VPn and you can host your own website at home 21:02 < ecrist> well, off to spend some time with the wife before bedtime. 21:02 < Dougy> but they're really that bad 21:02 < Dougy> night ecrist 21:02 < ecrist> Dougy: fwiw, my DSL is more stable than your colo. :) 21:02 < Dougy> apparently so 21:02 < Dougy> i had been getting weird packet loss tickets last few days 21:03 < SilenceGold> but he don't have SPLA obviously 21:03 < SilenceGold> who's your provider? 21:03 < Dougy> www.justedge.net 21:03 < Dougy> i work there 21:03 < Dougy> i dont know what's going on 21:03 < SilenceGold> doing what? 21:03 < ecrist> you *work* at your colo? 21:03 < Dougy> i work for the datacenter.. 21:03 < Dougy> yes 21:03 < ecrist> and you can't get a server online? 21:03 * ecrist points and laughs. 21:04 < ecrist> :P 21:04 < Dougy> my boss is the only guy who has access to the routers 21:04 < Dougy> what kind of bs is that 21:05 < Dougy> ecrist: before you run 21:05 < Dougy> can you pm me the source IP for that trace 21:05 < Dougy> i'm going to call my boss up and get him to fly back from his vacation in Poland right now 21:06 < ecrist> Dougy: it's in the pastebin 21:07 < Dougy> oh 21:07 < Dougy> your server's ip? :s 21:07 < Dougy> oh 21:07 < Dougy> wrong pastebin 21:08 < ecrist> actually, it isn't but front-door is close enough. 21:08 < ecrist> and is pingable. 21:10 < ecrist> Dougy: you registered that domain today? 21:11 < ecrist> If it were me, I'd have started a forum somewhere I already owned, and if it took off, bought a domain, or asked for a subdomain from openvpn.net folks. 21:12 * ecrist goes away 21:18 < Dougy> ecrist: meh 21:18 < Dougy> i had $8 to waste 21:19 < Dougy> okay ecrist still here? 21:23 < Dougy> SilenceGold: fixed 21:24 < SilenceGold> nope 21:25 < Dougy> well 21:25 < Dougy> depends what IP it resolves to 21:25 < Dougy> what ip are you seeing 21:31 * Dougy pokes SilenceGold 21:32 -!- st1650 [n=eb@76-10-166-89.dsl.teksavvy.com] has quit [Read error: 113 (No route to host)] 21:37 -!- near [n=near@83-155-186-245.rev.libertysurf.net] has quit [Read error: 101 (Network is unreachable)] 21:38 -!- near [n=near@83-155-189-82.rev.libertysurf.net] has joined ##openvpn 21:42 < Dougy> okay 21:42 < Dougy> that's it 21:49 < Dougy> New server here I come (new network, too) 22:50 < ecrist> Dougy: point the domain to me. 22:54 < Dougy> ecrist: que? 23:00 * Dougy shrugs 23:24 < krzee> it comes up fine for me 23:24 < krzee> vBulletin Message 23:24 < krzee> Sorry, the board is unavailable at the moment while we are testing some functionality. 23:24 < krzee> We will be back soon... 23:28 < Dougy> yeah 23:28 < Dougy> i put it on a new IP 23:28 < Dougy> i'm getting a new srver set up as we speak though 23:28 < Dougy> I cant frickin stand the bad routing going on at work 23:28 < Dougy> ugh 23:36 < Dougy> krzee: depending how long bigvps takes it may be up tomrrow 23:36 < Dougy> ive seen 2-4 days for support replies though 23:40 < krzee> cool if you're doing that for your server in general, but its not a big deal for the forum 23:45 < Dougy> well 23:45 < Dougy> you see 23:45 < Dougy> i had traceroutes from everywhere and out of the 10 people who did it 23:45 < Dougy> 8 couldnt even reach the server 23:45 < Dougy> it stopped at a njiix router (entrance to network) 23:45 < Dougy> :( 23:46 < Dougy> This other provider (where I'm getting this server) is far more solid. 23:48 < Dougy> from my exp anyway 23:49 < krzee> gotchya 23:51 < Dougy> so 23:51 < Dougy> should be good to go when they nuke my VPS 23:51 < Dougy> :) 23:51 * Dougy nods 23:51 < Dougy> bed soon 23:57 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] --- Day changed Mon Aug 25 2008 01:04 -!- SilenceGold [n=chris@adsl-70-232-78-19.dsl.ltrkar.sbcglobal.net] has quit ["I've never heard that silence is golden...."] 01:11 -!- SilenceGold [n=chris@70.232.78.19] has joined ##openvpn 01:40 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 01:41 < jeffspeff2> i'm trying to create the ca... i'm using windows as the vpn server... do i need to have openssl installed? 01:46 -!- bandini [n=bandini@host244-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 02:00 < krzee> no 02:00 < krzee> your cert making machine is windows? 02:01 < krzee> i dont use windows but at http://openvpn.net/index.php/documentation/howto.html#pki it says: 02:01 < vpnHelper> Title: HOWTO (at openvpn.net) 02:01 < krzee> If you are using Windows, open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files): 02:01 < krzee> init-config 02:01 < krzee> Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. 02:01 < krzee> etc... 02:08 < kraut> moin 02:09 < jeffspeff2> krzee, when i go to run build-ca.bat... i get openssl errors. i installed openssl for windows, and i still get the errors. 02:09 < jeffspeff2> also, windows doesn't have any type of init-config... that's a linux thing 02:11 < jeffspeff2> wait, nm, i admit retardation... the initconfig thing does work... i was mistaken. 02:11 < krzee> i never installed openssl for windows 02:11 < krzee> that i can recall 02:11 < krzee> its been quite awhile, but i remember it being simple 02:11 < krzee> (awhile since using ovpn on win) 02:42 < jeffspeff2> could somebody explain to me how to assign a specific ip to a specific vpn client? i'm reading the howto http://openvpn.net/index.php/documentation/howto.html, but getting really confused 02:42 < vpnHelper> Title: HOWTO (at openvpn.net) 02:53 < krzee> ya 02:53 < krzee> an ifconfig entry in a ccd file 02:53 < krzee> !ccd 02:53 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 02:54 < krzee> we just helped Concept-P get that going 03:12 -!- mucimon [n=mucimon@lugbari/people/mucimon] has left ##openvpn [] 03:17 -!- mucimon_ [n=mucimon@host134-227-static.57-82-b.business.telecomitalia.it] has joined ##openvpn 03:25 -!- thomas [i=tm@tm.muc.de] has quit [Remote closed the connection] 03:35 < jeffspeff2> krzee, i'm doing ifconfig-push 192.168.50.2 in the ccd/user file but the client keeps getting 192.168.50.6 from somewhere... 03:35 < krzee> you have ipconfig-pool-persist? 03:35 < krzee> ipp.txt...? 03:35 < krzee> also 03:35 < krzee> it needs .6 03:35 < krzee> asuming you are using routing 03:35 < krzee> !/30 03:35 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 03:36 < krzee> read that to understand by 03:36 < krzee> s/by/why/ 03:40 < jeffspeff2> krzee, ok, just red that... so does that mean that i can assign static ip's still, but they have to be after .6 ? 03:41 < jeffspeff2> i.e. 192.168.50.7, 192.168.50.8, etc. 03:41 < krzee> .6 03:41 < krzee> .10 03:41 < krzee> .14 03:41 < krzee> .18 03:41 < krzee> etc 03:41 < krzee> OR 03:41 < jeffspeff2> ahh, increments of 4 03:41 < krzee> use beta and topology subnet 03:42 < krzee> in which case, you can just go by 1's 03:42 < krzee> only uses /30 to workaround some windows issue, but topology subnet does it more intelligently 03:47 < krzee> time for sleep 03:47 < krzee> best of luck 03:48 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 03:48 < krzee> ill be around tomorrow during the day (EST) if you dont get it working 03:55 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 03:56 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 04:39 -!- nver [n=Chekit@darthmaul.satgate.net] has joined ##openvpn 04:39 < nver> Hello 04:39 < nver> How come open vpn doesn't go through my socks proxy? 05:42 -!- OpenTokix [i=peter@0x2a.se] has joined ##openvpn 05:42 < OpenTokix> hey 05:42 < OpenTokix> I have a openvpn with a couple of hosts, like 60 or so 05:42 < OpenTokix> today all of a sudden six fell away 05:42 < OpenTokix> im logged in to one of them - and it's trying to connect but complaints about tls failiure 05:43 < OpenTokix> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:43 < OpenTokix> in the faq it talks about network problem 05:43 < OpenTokix> however, nothing have changed network wise - and I can sssh from the machine to the vpn-server 05:43 < OpenTokix> also, the six machines are in different co-los (different physical networks) 05:44 < OpenTokix> Any suggestions? 05:45 < svenx> tcpdump on both sides, compare with working setup 05:48 -!- nver [n=Chekit@darthmaul.satgate.net] has quit [Remote closed the connection] 05:50 < OpenTokix> svenx: im not sure how I am supposed to write on tcpdum p 05:50 < OpenTokix> with 05:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 < OpenTokix> It's going traffic thru 06:02 < OpenTokix> I see the clients traffic on the vpn-server 06:02 < OpenTokix> but the tunnel isn't getting operational 06:09 < svenx> i'm not too familiar with openvpn, but i would first investigate if it can use verbose logging 06:10 < svenx> if not, i would look at the ssl handshakes to see where things go bad 06:11 < OpenTokix> im trying the 2.1rc9 now 06:11 < OpenTokix> had 2.0.9 06:11 < OpenTokix> it mught be a problem with epoll-handling (?) and it was fixed in 2.1rc4 06:17 < OpenTokix> no luck 06:50 -!- lolo92 [n=lolo92@84.55.144.90] has joined ##openvpn 06:50 < lolo92> hello 06:51 < lolo92> is there any solution to get openvpn running with a non admin user on a windows xp ? 06:53 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has joined ##openvpn 06:53 < lolo92> i have this error msg: ROUTE: route addition failed using CreateIpForwardEntry: Acc`es au r'eseau refus'e 06:53 < lolo92> it fails to add the route 07:29 < ecrist> lolo92: no 07:29 < ecrist> there is no *solution* as it required access to device drivers. 07:38 < ecrist> the error says 'Access denied.' 07:38 < ecrist> you need to be an admin. 07:49 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has quit [Read error: 104 (Connection reset by peer)] 07:51 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has joined ##openvpn 07:58 < Concept-P> Damn Vista.. I hate vista =) 07:59 < Concept-P> ecrist: are there big differences with a vista client setup and a xp client setup? I can connect to the vpn but I dont receive an ip 08:03 -!- lolo92 [n=lolo92@84.55.144.90] has quit ["Quitte"] 08:10 < ecrist> Concept-P: no idea - never played with Vista 08:12 < Concept-P> ecrist: dont =D 08:12 < Concept-P> unless you have to =) 08:16 < BoomSie> or just join the 'vista-look-a-like' club @ gnome-looks.org and PRETEND you're under vista :p ... 08:17 < BoomSie> and turn to your colleagues with the "0wh, with me the VPN connection works just perfectly" look =) 08:17 < Concept-P> lol =D 08:19 < BoomSie> be carefull though, afterwards they'll start nagging at the system administrators that they want it too and they will be just clueless 08:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:23 < ecrist> quiet in here this am. 09:54 < plaerzen> morning irc 10:18 -!- pUmkInhEd [n=pumkinhe@mail.guardianchem.ca] has left ##openvpn [] 11:28 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has joined ##openvpn 11:31 < fsckedagain> I need a little pointer on getting the ip address assigned to a client stored in openvpn-status.log. 11:34 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:42 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has left ##openvpn ["Leaving"] 11:54 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection reset by peer] 11:54 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 11:54 < ecrist> what? 12:05 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 12:06 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 12:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:28 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 12:29 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:56 -!- BoomSie [n=gideon@s55936eb3.adsl.wanadoo.nl] has quit ["Ex-Chat"] 12:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:58 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has joined ##openvpn 12:59 < fsckedagain> how can I specify the ip address of the openvpn server? I am using a tun device. 13:03 < krzee> local 13:03 < krzee> if its in the server config 13:03 < fsckedagain> ...now I feel stupid. Thanks a bunch! 13:03 < krzee> remote if its client config connecting to server 13:04 < krzee> np 13:17 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 13:17 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 13:20 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 13:25 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 60 (Operation timed out)] 13:46 < jeffspeff> hello everybody, i've just recently got openvpn installed on my windows system. the client and the server can ping each other fine (with the vpn address), but i can't open a remote session from the client to the server using the vpn address, but i can connect when using the servers public ip (server ip is set as DMZ on router). The actual issue is weird; when i try to open the remote session using the vpn address, it full screens 13:46 < jeffspeff> the window, i see the system log in, and then the screen stays black for a few moments then the connection times out. 13:46 < jeffspeff> any help would be much appreciated 13:47 < ecrist> it full screens 13:47 < ecrist> ? 13:49 < jeffspeff> ecrist, i'm using windows remote desktop (mstsc) 13:49 < jeffspeff> it full screens the remote session when it connects 13:49 < ecrist> ok, what does that have to do with OpenVPN? 13:50 < jeffspeff> i can't connect through the vpn, but i can with any other method 13:50 < ecrist> is the server listening on the VPN ip? 13:51 < jeffspeff> remote desktop doesn't listen on a particular ip 13:51 < jeffspeff> i also tested with hamachi, and it connect fine with that vpn 13:52 < jeffspeff> it connects using regular public ip, but not with openvpn ip 13:52 < ecrist> ok, so, the VPN works, right? 13:52 < jeffspeff> yes 13:52 < ecrist> ok. 13:52 < jeffspeff> i can ping both ways from either side 13:52 < ecrist> glad we could help. :) 13:52 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 13:52 < jeffspeff> you're a jack ass 13:53 < ecrist> that's not very nice. 13:53 < ecrist> sounds like you have a firewall issue. 13:53 < jeffspeff> firewall is off 13:53 < jeffspeff> it has something to do with openvpn, but i just don't know what 13:54 < jeffspeff> i tried changing the server from udp to tcp, and still got same results 13:54 < ecrist> leave the server udp 13:54 < jeffspeff> ok 13:54 < jeffspeff> would it have something to do with the client-client setting? 13:54 < ecrist> shouldn't 13:55 < ecrist> you are trying to connect from client to RDP on server, or other way around? 13:56 < jeffspeff> yes, but not sure it's actually RDP, as windows uses microsoft terminal services for remote connections... same concept though 13:58 < ecrist> terminal services is RDP (Remote Desktop Protocol) 13:58 < jeffspeff> ok, didn't know if they were the same 13:58 < ecrist> they are. 13:58 < ecrist> do you have anything else running on the server you can test? 13:58 < ecrist> are you *sure* windows firewall is turned off for the tun device? 13:59 < jeffspeff> i have a different remote application that uses vnc, it works fine 13:59 < ecrist> across the VPN? 13:59 < jeffspeff> yes, firewall is off 13:59 < jeffspeff> yes, vnc works across the openvpn 14:00 < ecrist> don' 14:00 < ecrist> t know, then. 14:00 < ecrist> doesn't seem to be an OpenVPN problem. 14:01 < jeffspeff> hmm... ok, i figured with deductive reasoning that if it works every other way except method c, then method c must be the problem... thanks though... 14:01 < jeffspeff> i take back the jack ass comment 14:03 < ecrist> i don't deny being a jackass, it's generally considered rude to point it out, though. :) 14:04 < jeffspeff> true 14:05 < jeffspeff> hey, i'm thinking about getting an iphone. anybody know if the iphone vpn works with openvpn? 14:06 < ecrist> iirc, it's standard pptp 14:06 < ecrist> which is != OpenVPN 14:06 < ecrist> OpenVPN is an SSL-based VPN 14:06 < ecrist> PPTP is a different animal 14:07 < jeffspeff> so, that's a no. lol 14:32 -!- _spm_Draget [n=draget@p54BB595F.dip.t-dialin.net] has joined ##openvpn 14:32 < _spm_Draget> Goodevening. Hopefully someone alive here =) 14:32 < ecrist> yes, usually 14:33 < _spm_Draget> I have a tutorial that creates a group openvpn and adds a dir called chroot under /etc/openvpn 14:33 < _spm_Draget> But does not explain why it does that 14:33 < plaerzen> you shouldn't be messing with chroot unless you know what it is, or the tutorial explains what it is. 14:34 < ecrist> sounds like the process is chrooting, which is a security protocol so that, if the OpenVPN software has a vulnerability, the attacker will be contained to the chroot directory, being denied access to the rest of the base system. 14:34 < ecrist> http://en.wikipedia.org/wiki/Chroot 14:34 < vpnHelper> Title: chroot - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:35 < _spm_Draget> Yup, thanks. But I wonder if OpenVPN really needs its own root or if I can skip this tep 14:35 < _spm_Draget> *step 14:35 < ecrist> up to you and your needs. 14:35 < ecrist> I, personally, don't chroot my OpenVPN process. 14:58 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has quit [Read error: 104 (Connection reset by peer)] 14:58 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has joined ##openvpn 15:07 -!- bandini [n=bandini@host123-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 15:11 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:12 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:18 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has joined ##openvpn 15:19 < fzzzt> If I use pf to route-to through a tun device, on the other end, how can I have those packets also route-to where they're supposed to go? I need to move a machine, and have to securely pretend like I didn't for a while...kinda build a tunnel to the new location from the old, but fake the old IP. :/ 15:21 * fzzzt guesses that didn't make any sense at all. 15:40 < _spm_Draget> " openvpn[7061]: Options error: You must define DH file (--dh) " 15:41 < _spm_Draget> I am using a preshared key (it is just for a quick setup) 15:41 < _spm_Draget> Why do I need to specify a key exchange thingy? 15:46 < _spm_Draget> Anyone? 15:46 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has quit [Read error: 104 (Connection reset by peer)] 15:52 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 15:57 < _spm_Draget> =( 16:03 -!- fzzzt [n=fzzzt@rrcs-72-43-92-186.nys.biz.rr.com] has left ##openvpn ["Leaving"] 16:08 < ecrist> _spm_Draget: did you read the howto? 16:08 < _spm_Draget> Which one? 16:08 < ecrist> !howto 16:08 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:08 < _spm_Draget> I am not reading this one. But I will now, thanks 16:09 < ecrist> it's the 'official' one 16:22 < krzy> ecrist, is kraut a human? 16:23 < krzy> every night, at around 3am est he says 16:23 < krzy> !kraut 16:23 < vpnHelper> krzy: "kraut" is moin 16:23 < krzy> hehe 16:23 < plaerzen> fuck. Sometimes I hate my job. 16:24 < krzy> =/ 16:26 < gongoputch> do people use routing daemons in conjunction with OVPN when the endpoint is behind NAT (i.e. not on the default router) and you want to propagate the routes to the boxes on the LANs? 16:32 < krzy> just add the route to their default router 16:32 < krzy> my WRT54G supports adding a static route 16:43 < fsckedagain> Can I nat/pat traffic coming from the openvpn server to make it look like it is on the same network as the private interface? 16:44 < krzy> huh? 16:45 < fsckedagain> well, let me explain a little more. The default gw my inside devices have no nothing of the network that traffic from the vpn server is running on. I need to NAT it so I don't have to add a static route to every box on that network. 16:46 < krzy> no, you need to add a route to your default gateway in the lan 16:51 < fsckedagain> the networks are segmented. They can't get to each other nor, know about each other. 16:52 < plaerzen> Great, now I really want to segment my network. 16:52 * plaerzen hates his job. 16:54 < fsckedagain> that wasn't terribly helpful :) 16:54 * fsckedagain dislikes segmented networks... 16:57 < plaerzen> I'm not a really helpful guy. I just sit on this channel and bitch. 17:18 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 18:13 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 19:10 -!- _spm_Draget [n=draget@p54BB595F.dip.t-dialin.net] has quit [Remote closed the connection] 19:18 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:18 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:37 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 19:39 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:39 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 19:49 < ecrist> hola 19:52 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:52 < ecrist> gongoputch: I don't fully understand what you're asking. 19:55 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:55 < Dougy> hey guys 19:55 < Dougy> sup 19:56 < ecrist> what's going on, Dougy 19:57 < Dougy> not much 19:57 < Dougy> got my new VPS at WowVPS 19:57 < Dougy> just waiting on DA to update license IP 19:59 < krzy> hola todos 20:00 < Dougy> hey krzy 20:00 < Dougy> que pasa? 20:01 < ecrist> krzy: no idea 20:01 < krzy> nada, aqui tranquilo 20:01 < ecrist> english, please. 20:01 < Dougy> he said he's calm/quiet/relxaed 20:01 < Dougy> relaxed 20:01 < ecrist> I know. 20:01 < Dougy> i asked what's up 20:01 < Dougy> he said that 20:01 < Dougy> :p 20:02 < ecrist> I can read that much. 20:02 < ecrist> I'm setting a precedent. 20:02 < Dougy> Oh, h'okay. 20:03 < Dougy> Oh, and for the record. 20:03 < Dougy> htop = win 20:04 * krzy doesnt care what language people speak in, they just shouldnt expect help if the helpers cant understand them 20:05 < ecrist> krzy: kraut seems to be human. 20:05 < krzy> really? 20:05 < krzy> sometimes i wait for him around 3am est 20:05 < krzy> so i can !kraut right after he says moin 20:05 < krzy> haha 20:05 < ecrist> seems to be someone that idles. 20:06 < krzy> its like clockwork 20:06 < krzy> if all NTP servers globally went down, ild know i was within 15min of 3AM when he says moin 20:06 < ecrist> http://pastebin.com/m6a4cfa28 20:08 < ecrist> why do you care? 20:08 < krzy> i dont 20:08 < ecrist> and, why do you have so many nicks? 20:08 < krzy> was just curious 20:08 < krzy> 2 is that many? 20:10 < krzy> BitchX-1.1-final+ by panasync - FreeBSD 6.3-RELEASE-p2 20:10 < krzy> this one for when im not home 20:10 < krzy> ... CTCP VERSION reply from krzee: X-Chat Aqua 0.16.0 (xchat 2.6.1) Darwin 9.4.0 [i386/2.16GHz/SMP] 20:10 < krzy> that one for when i am 20:10 < ecrist> 3, actually. 20:11 < krzy> wheres the 3rd? 20:11 < ecrist> ecrist@chunk:~/irclogs/freenode-> cat ##openvpn.log | grep -e "^.*< kr.*zy" | awk '{print $3}' | sort | uniq 20:11 < ecrist> krzee> 20:11 < ecrist> krzie> 20:11 < ecrist> krzy> 20:11 < ecrist> :P 20:11 < Dougy> erk 20:11 < krzy> oh hah, in logs 20:11 < Dougy> i missed a ot 20:11 * Dougy reads 20:11 < gongoputch> ecrist: it isn't so much a 'right' or 'wr9ong' answer 20:11 < Dougy> dude, i need to learn awk 20:11 < Dougy> and sed 20:11 < Dougy> i don't know it yet ive used linux for 5 years 20:11 < gongoputch> awk and sed rawk :) 20:11 < krzy> i have more nicks than that 20:12 < ecrist> Dougy: regular expressions are nice, too. 20:12 < gongoputch> ecrist: I think I have decided to use routed and RIP2 to propagate new routes 20:12 < gongoputch> yea, I know .... OLD 20:12 < Dougy> I need to learn how to use awk, sed, and then regex too 20:12 < ecrist> gongoputch: I didn't understand, specifically, what you were trying to do. 20:12 < gongoputch> but appearently supported in OS X 20:13 < Dougy> ewwwwww 20:13 < Dougy> mac 20:13 < ecrist> /kick Dougy 20:13 < krzy> eww man!? 20:13 < Dougy> ewwwwww 20:13 < Dougy> mac 20:13 < Dougy> :< 20:13 < krzy> err eww mac??? 20:13 < gongoputch> I have an idea how I want to do it, we'll see if it is as simple as all that :) 20:13 -!- mode/##openvpn [+o ecrist] by ChanServ 20:13 < krzy> dudes macs are sweet now 20:13 < Dougy> shit 20:13 * Dougy is dead 20:13 < gongoputch> Macs after OS X are pretty cool 20:14 -!- mode/##openvpn [-o ecrist] by ecrist 20:14 -!- mode/##openvpn [+o Dougy] by ChanServ 20:14 < gongoputch> before OS X they were shit IMO 20:14 <@Dougy> o.O 20:14 <@Dougy> what the hell 20:14 < krzy> gongoputch, agreed 20:14 <@Dougy> thanks ecrist o.O 20:14 < ecrist> not me. 20:14 -!- mode/##openvpn [-o Dougy] by ChanServ 20:14 < krzy> heheh 20:14 < ecrist> gongoputch: agreed. 20:14 < Dougy> thanks whoever did it 20:14 < Dougy> o.O 20:15 < ecrist> gongoputch: what were you trying to route, where? 20:16 * krzy looks at dougy and whistles 20:16 < Dougy> haha 20:16 < Dougy> ;] 20:16 < Dougy> WowVPS is pretty cool 20:16 < Dougy> @ krzy 20:16 < Dougy> this VPS company I use now 20:16 < Dougy> but.. their customer panel is fairly buggy 20:16 < krzy> right on 20:16 < krzy> i think i might get a vps at some point 20:17 < Dougy> right on 20:17 < Dougy> ever heard of jaguarPC? 20:17 < krzy> but ild get it from hong kong 20:17 < gongoputch> I prefer a CLI host 20:17 < krzy> hehe 20:17 < Dougy> lmao 20:17 < Dougy> gongoputch: ehh 20:17 < Dougy> i like being able to reboot it on my own 20:17 < Dougy> that's the only benefit of the panel 20:18 < Dougy> start/stop/suspend 20:18 < ecrist> Dougy: what does CLI have to do with start/stop/suspend? 20:18 < Dougy> nothing whatsoerver 20:19 < Dougy> I prefer a host that only uses CLI as well because they in theory know what they're doing 20:19 < Dougy> but having a web based panel that lets me do that without relying on them is nice 20:19 < ecrist> lol 20:20 < Dougy> ecrist: if you don't mind me asking, what's your first name? 20:20 < Dougy> krzy: same question 20:20 < krzy> jeff 20:21 < ecrist> Dougy: it's not hard to find my full name. 20:21 < ecrist> consider it an exercise in using the resources before you. 20:22 < ecrist> the RNC is going to kick my ass. 20:22 < krzy> ahh you're going? 20:22 < krzy> are you a delegate? 20:22 < ecrist> no, it's in the city where I live. 20:23 < ecrist> let's just say I'm working the event. 20:24 < Dougy> nice 20:24 < Dougy> ecrist: instead of typing that whole thing 20:24 < Dougy> why didn't you just tell me? 20:24 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Success] 20:24 < Dougy> oh 20:24 < Dougy> wow 20:24 < Dougy> eric rofl 20:24 < krzy> his name is his handle 20:24 < Dougy> well, i promise i'm not slow or anything. 20:24 < Dougy> :) 20:28 < ecrist> told ya it was easy. 20:28 < Dougy> wow 20:28 < Dougy> Mets are kicking ass 9-0 :d 20:29 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 20:30 < gongoputch> even a blind squirel find a nut occosinally 20:30 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 20:30 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 20:32 < Dougy> gongoputch: true. 20:32 < Dougy> ecrist: are you involed in the development of openvpn? 20:32 < ecrist> nope 20:32 < Dougy> or just a person tha helps out people a lot 20:32 < Dougy> btw, who owns this place? 20:33 < ecrist> owns what place? 20:33 < Dougy> ##openvpn 20:33 < ecrist> * 20:33 < ecrist> *shrug* 20:33 < Dougy> word. 20:33 < krzy> nobody owns it 20:33 < Dougy> cough 20:33 < krzy> its just a help channel 20:33 < Dougy> yeah 20:33 < Dougy> i meant like who registered it 20:34 < Dougy> but i have my answer 20:34 < Dougy> i forgot chanserv has the info feature 20:34 < gongoputch> being that it is a "##" it isn't even official 20:34 < ecrist> :) 20:34 < krzy> ya we used to be in #openvpn but there was NEVER any ops 20:34 < Dougy> ah 20:34 < krzy> so when trolls or floods came, it was quite annoying 20:34 < ecrist> I had staff move it here. 20:34 < ecrist> erm, forward it. 20:34 < Dougy> Cool beans 20:35 < krzy> i had even emails openvpn.net about it asking if they could either monitor the channel or add someone to chanserv, never got a reply 20:35 < krzy> emailed 20:35 < Dougy> that's lame 20:36 < krzy> *shrug* its fine, staff moved it over for ecrist and now we dont hafta worry bout it 20:36 < Dougy> indeed 20:36 < Dougy> :] 20:37 < Dougy> freakin' a 20:37 < Dougy> directadmin LETS GO 20:37 < Dougy> :( 20:37 < Dougy> I'm gonna kill mark when he calls me to tell me it's been updated 20:37 < Dougy> :( 20:38 < krzy> haha 20:38 < krzy> calmate 20:38 < Dougy> what? 20:39 < krzy> relax =] 20:39 < Dougy> oh 20:39 < Dougy> I want to get my sites off these two servers (the unstable one you saw last night) and one more 20:39 < Dougy> Wooo Mets win! 20:40 < krzy> 9 - 1 final 20:41 < Dougy> yeah 20:41 < Dougy> 2nd straight complete for Pelfrey 20:41 < Dougy> he's damn good 20:43 < krzy> ecrist, ild be at the target center if i was still in usa 20:44 < krzy> but i cant make it out there 20:45 < ecrist> what's going on at Target Center? 20:45 < krzy> ralley.campaignforliberty.com 20:45 < krzy> err, rally 20:46 < ecrist> ah, RNC is at Xcel Energy Center. 20:46 < ecrist> other side of river. 20:46 < Dougy> krzy: wher are you? 20:46 < Dougy> where^ 20:47 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 20:48 < krzy> the caribbean 20:48 < krzy> i left last yr after i read the patriot act 20:48 < Dougy> nice 20:48 < Dougy> seriously? 20:48 < krzy> yes 20:48 < Dougy> lo 20:48 < Dougy> l 20:48 < Dougy> why>? 20:48 < krzy> this isnt the channel for it 20:49 < krzy> and i leave pretty soon 20:49 < krzy> but ill explain another time for ya 20:49 * Dougy shrugs 20:49 < Dougy> sounds good 20:49 < Dougy> ever comin' back? 20:49 < krzy> just to visit friends and family 20:49 < Dougy> ah 20:49 < krzy> until they do the national ID card 20:49 < Dougy> i hope you moved to a cool country 20:49 < krzy> then ill stop visiting 20:50 < Dougy> lol 20:50 < Dougy> what country are ya in? 20:52 < krzy> i just leave it at "caribbean" 20:52 < Dougy> :( 20:52 < Dougy> either way 20:52 < Dougy> luckyyyyyyy 20:52 < Dougy> lol 20:53 < rmull> Just installed openwrt 20:53 < rmull> taishi would be proud 20:54 < Dougy> lol 20:54 < Dougy> im tired 20:54 < Dougy> bed soon 20:54 < krzy> all the hackers i know love openwrt 20:54 < ecrist> rmull: how do you like it? 20:55 < krzy> cause its an easier target and usually doesnt log 20:55 < Dougy> lol 20:57 < rmull> krzy: lol 20:58 < rmull> ecrist: Still poking around, really. Too soon for an opinion 20:58 < rmull> I installed it because I want to play around with an ipv6 LAN 20:58 < rmull> And I don't think you can install openbsd on a wrt54g 20:58 < krzy> ahh nice 20:59 < rmull> krzy: What makes it an easier target? 21:00 < ecrist> rmull: nice. 21:00 < ecrist> let me know your thoughts after you've played with it a few days. 21:00 < ecrist> I run 4 and 6 on my production network. 21:01 < rmull> Better watch out for krzy's hacker friends :D 21:01 < ecrist> no wrt here. 21:01 < ecrist> FreeBSD boxen. 21:01 < rmull> ecrist: I've literally never dabbled with 6, so I've got a shitton of learning to do. 21:02 < ecrist> it's easy, once you've figured it out. 21:02 < rmull> Sounds good to me. 21:02 < ecrist> rmull: https://www.secure-computing.net/wiki/index.php/IPv6_DNS 21:02 < vpnHelper> Title: IPv6 DNS - Secure Computing Wiki (at www.secure-computing.net) 21:02 < ecrist> if you need a primer. 21:02 < rmull> I do, and thanks! 21:02 < ecrist> that's for IPv6 dns, but should be helpful. 21:03 < ecrist> if you need any help, please don't hesitate. 21:03 < ecrist> oh, and check out http://ipv6experiment.com 21:03 < vpnHelper> Title: The Great IPv6 Experiment (at ipv6experiment.com) 21:03 < rmull> I think the one thing I've got to take a serious look at is configuration on the gateway/firewall level 21:03 < rmull> ecrist: Yeah, I saw that, lol 21:03 < rmull> I've become so accustomed to the NAT way of doing things 21:03 < ecrist> yeah, lots of folks have. 21:04 < ecrist> there's so much that NAT breaks, though. 21:04 < Dougy> ew 21:04 < Dougy> I have a WRT54G 21:04 < ecrist> SIP, for one. 21:04 < Dougy> I hate it 21:05 < rmull> Dougy: What firmware? 21:05 < krzy> nat dont break SIP 21:05 * ecrist <3 SMCFanControl 21:05 < krzy> nat has STUN 21:05 < krzy> err SIP has STUN 21:05 < rmull> krzy: STUN has to be run to work around the NATting, no? 21:05 < krzy> yes 21:05 < ecrist> rmull: if you're a FreeBSD guy, this might help, too: https://www.secure-computing.net/wiki/index.php/IPv6_on_FreeBSD_6.2 21:05 < rmull> They're two separate things. 21:05 < vpnHelper> Title: IPv6 on FreeBSD 6.2 - Secure Computing Wiki (at www.secure-computing.net) 21:05 < krzy> but is quite simple 21:05 < rmull> ecrist: Damn, very nice :D 21:06 < ecrist> it still breaks SIP - you shouldn't have to run STUN. 21:06 < rmull> Perhaps I'll drop the dough on a Soekris or something just for testing purposes. 21:06 < ecrist> like I said, if you need any Ipv6 help, hit me up. 21:07 * ecrist goes for a beer. 21:07 < krzy> ya im gone too 21:07 < rmull> ecrist: You'll be hearing from me, thanks mang 21:07 * krzy & 21:15 < Dougy> oO 21:15 < Dougy> bye krzy 21:22 < ecrist> Dougy: did you get your VPS figured out? 21:23 < Dougy> ecrist: the VPS is up, long up 21:23 < Dougy> directadmin :< 21:23 < ecrist> what is directadmin? 21:23 < Dougy> www.directadmin.com 21:23 < Dougy> its a control panel 21:23 < Dougy> yeah yeah, cli shut up. 21:23 < Dougy> directadmin makes life easy. 21:24 < ecrist> ok, but what does it do for you that you can't just do? 21:24 < Dougy> Saves me a ton of work 21:24 < Dougy> customers want it as well 21:24 < Dougy> I can do it all myself if I want, but for $5/mo who can complain 21:25 < ecrist> not to pry, I'm just curious, are you hosting for people, then? 21:25 < Dougy> A few of my friends, yessir 21:25 < Dougy> Eventually I'd like to sell locally, but at this juncture that's not a wise decision. 21:25 < Dougy> I mean, I can do most of it via cli. 21:25 < Dougy> One thing I *can't* do is mailservers. 21:26 < ecrist> oh, postfix+postfixadmin ftw 21:26 < ecrist> :) 21:26 < Dougy> Word. 21:26 * Dougy is lazty 21:26 < Dougy> lazy^ 21:26 < Dougy> DirectAdmin is really nice 21:26 < Dougy> cPanel is crap. 21:26 < ecrist> fair enough. 21:27 < Dougy> DirectAdmin uses postfix, actually 21:27 < ecrist> never used either of them. 21:27 < ecrist> linux on your VPS? 21:27 < Dougy> Yup. 21:27 < Dougy> Wow. I've really almost never seen someone familiar with IRC that hasn't used cPanel 21:27 < Dougy> Majority of people online have, actually. 21:29 < Dougy> ecrist: I even use Linux on my home computers 21:29 < Dougy> I am almost windows free. The only trace of Windows on my computers is this laptop. I dual boot just because my mic only works on windows 21:29 < ecrist> I've always had my own servers. 21:30 < Dougy> Winblows? 21:30 < Dougy> Windows^ 21:30 < ecrist> you asking if I use Windows? 21:30 < Dougy> yes 21:30 < Dougy> on your servers 21:31 < ecrist> no, I do not. 21:31 < Dougy> What do you use? 21:31 < ecrist> FreeBSD 21:31 < Dougy> I figured 21:31 < Dougy> I like FreeBSD 21:31 < Dougy> I prefer Debian, but BSD is up there 21:32 < ecrist> you figured? 21:33 < Dougy> You seem like a FreeBSD type of guy 21:33 < ecrist> tx, i think 21:34 < Dougy> hehe 21:34 < Dougy> Ports is nice 21:34 < Dougy> are^ 21:34 < Dougy> I'm out of here. Night. 21:34 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 21:37 -!- near [n=near@83-155-189-82.rev.libertysurf.net] has quit [Read error: 110 (Connection timed out)] 21:38 -!- near [n=near@88-122-26-69.rev.libertysurf.net] has joined ##openvpn 22:28 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has joined ##openvpn 22:29 -!- prattfall [n=sten@c-68-51-79-157.hsd1.il.comcast.net] has quit [Client Quit] 22:31 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 23:38 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:55 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit ["I Quit!"] --- Day changed Tue Aug 26 2008 01:17 < krzee> [22:27] Wow. I've really almost never seen someone familiar with IRC that hasn't used cPanel 01:18 < onats> what's cPanel? 01:18 < krzee> I've been on IRC since the mid 90's and only even looked at cpanel once, but decided to just do everything at the shell, was much easier for me to do things at the shell than use cpanel 01:19 < krzee> some app that lets people who dont know anything about *nix run insecure servers 01:19 < krzee> ;] 02:05 < kraut> moin 02:05 * kraut slaps krzy 02:08 < krzee> lol 02:08 < krzee> !kraut 02:08 < vpnHelper> krzee: "kraut" is moin 02:08 < krzee> ;] 03:15 -!- Bheam [i=Bheam@77.94.234.164] has quit [] 03:16 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:44 -!- stephanbuys [n=stephanb@gprs02.rb.mtnns.net] has joined ##openvpn 03:46 < stephanbuys> hi all, anyone know if it is possible to run OpenVPN server in a FreeBSD jail? 03:58 -!- stephanbuys [n=stephanb@gprs02.rb.mtnns.net] has quit [] 04:15 -!- gongoputch [n=kseel@74.95.184.161] has quit [Read error: 104 (Connection reset by peer)] 04:18 -!- gongoputch [n=kseel@74.95.184.161] has joined ##openvpn 07:08 < ecrist> good morning, folks. 07:09 < ecrist> yeah, I knew/know what cPanel is, just never used it. 08:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 113 (No route to host)] 08:13 -!- krzy [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:53 < ecrist> quiet in here today. 08:56 -!- mcp is now known as emcepe 08:56 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 08:57 -!- emcepe [n=hightowe@wolk-project.de] has quit [Remote closed the connection] 09:03 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 09:08 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 09:12 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 09:29 -!- epsilon [n=epsilon@raid1.net] has left ##openvpn ["Leaving"] 09:55 < Dougy|Work> mornin 10:16 < ecrist> hi, dogmeat 10:16 < ecrist> erm, Dougy|Work 10:20 -!- slango [n=slango@unaffiliated/iamethos] has joined ##openvpn 10:21 < slango> so, I have to connect to both an OpenVPN and a Cisco VPN for work 10:21 < ecrist> ok 10:22 < Dougy|Work> hey ecrist 10:22 < Dougy|Work> How are you? 10:22 < slango> however, when I start the cisco client while the OpenVPN client is running, I get an error 10:22 < ecrist> slango: probably having to do with no route to host? 10:22 < slango> I'm thinking the Cisco VPN wants to listen on the same ports as the openvpn one 10:22 < slango> ecrist yeah, it tells me to make sure at least one interface is up? 10:23 < slango> ecrist: "Unable to communicate with the VPN subsystem." is how they put it 10:23 < ecrist> slango: your Cisco VPN is probably grabbing default route for your machine and the IP for the OpenVPN connection isn't routable across that link. 10:23 < ecrist> I'd talk to your admins. 10:24 < slango> I see 10:27 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 10:30 -!- fsckedagain [n=fsckedag@71-154-139-61.ded.pacbell.net] has quit ["Leaving"] 10:30 -!- chemokid [n=chemokid@76-10-182-143.dsl.teksavvy.com] has joined ##openvpn 10:50 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:54 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 11:10 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 11:42 < dogmeat> ecrist, hi 11:42 < ecrist> :) 11:56 -!- devicenull [n=devicenu@64.252.135.178] has joined ##openvpn 12:08 -!- slango [n=slango@unaffiliated/iamethos] has quit [Read error: 104 (Connection reset by peer)] 12:28 < devicenull> I'm having trouble setting up openvpn with redirect-gateway.. the client just seems to ignore the tunnel and just use the normal internet connection 12:28 < devicenull> http://dev3.ampaste.net/m552a99aa is my server configuration 12:29 < devicenull> the client gets a IP of 10.8.0.9, and looking at the routing table has a default route for the tunnel set up with a low metric 12:30 < devicenull> I've been going off the information at http://www.wains.be/index.php/2008/07/18/openvpn-routing-all-traffic-through-the-vpn-tunnel/for setting itu p 12:30 < ecrist> can you show us a traceroute? 12:31 < ecrist> also, what version of OpenVPN are you using? 12:31 < devicenull> yea, it doesnt even go through the tunnel 12:31 < devicenull> 2.0.9 windows on the client 12:31 < devicenull> 2.0.9 on the server 12:32 < devicenull> http://dev3.ampaste.net/m3f4d25c5 tracert 12:32 < devicenull> http://dev3.ampaste.net/m17392eb8 routing table on the client 12:32 < ecrist> and an output from ifconfig /all 12:33 < devicenull> I assume you mean ipconfig, one sec 12:34 < ecrist> yes, sorry 12:35 < devicenull> I managed to break ipconfig somehow, I have to go find the fix 12:35 < ecrist> ok. 12:37 < plaerzen> ecrist, you're like the unsung hero of #openvpn 12:37 < ecrist> o.O 12:37 < plaerzen> every time I look over here, you're helping someone 12:38 < ecrist> eh, I try. thanks for noticing, thogh. 12:38 < ecrist> though* 12:38 < ecrist> honestly, it shows how mundane my job is. ;) 12:39 < devicenull> ugh apparently my tcpip stack is broken, that's fun 12:40 < devicenull> I wonder if thats part of the issue 12:40 < ecrist> devicenull: it's windows, reboot. 12:40 < devicenull> ipconfig has been broken for awhile 12:40 < devicenull> it's never bothered me because it's not a huge issue 12:41 < ecrist> can you ping 10.8.0.1? 12:41 < devicenull> yea, I could 12:42 < devicenull> restarting now 12:42 < devicenull> sweet ipconfig works 12:43 < ecrist> newegg FTW 12:43 < ecrist> me: "I bought this, and it stopped working." 12:44 < ecrist> newegg: "Damn, here's an RMA, we'll pay the shipping. You'll have a new one 3 days after we get your broken one." 12:44 < ecrist> me: "Let's argue about it." 12:44 < devicenull> now it's broken again, wtf windows I hate you 12:44 < ecrist> newegg: "it's not needed, but if it'll make you happy, sure" 12:44 < ecrist> me: "you're not supposed to agree with me" 12:44 < ecrist> newegg: "I'm sorry." 12:45 < ecrist> me: "I give up." 12:45 < devicenull> ok, I can ping 10.8.0.1, but http doesnt work.. lets see what tracert shows 12:45 < devicenull> lol 12:45 < ecrist> newegg: "have a nice day" 12:45 < devicenull> tracert shows a bunch of * * * Request timed out lines, and no actual content 12:46 < devicenull> lets see if tracert -d does any better 12:46 < devicenull> nope 12:46 < ecrist> does the routing table look the same? 12:47 < devicenull> no, actually it's different 12:47 < devicenull> my default gateway finally changed to 10.8.0.9 12:47 < devicenull> and it's actually fairly different 12:47 < devicenull> the interesting thing is I can ping the real IP address of the VPN server 12:50 < devicenull> but that's the only machine I can ping/ssh 12:51 < devicenull> I can pastebin the new routing table if you wan 12:51 < devicenull> *want 12:53 < devicenull> hmm, iptables doesnt show the nat rule after I've added it 12:54 < devicenull> ahha 12:54 < devicenull> had duplicate entries in iptables 12:55 < devicenull> ugh, nope.. windows seems to have fixed it by ignoring the vpn link again 12:58 < devicenull> okay that's weird 12:58 < devicenull> it's sending data via the VPN, but not recieiving any responses 12:58 < devicenull> makes me think it's an issue with the server, rather then the client 12:59 < ecrist> devicenull: you can't ping the remote endpoint addresses. 12:59 < ecrist> so, clients will only be able to ping the primary VPN address. 12:59 < ecrist> in your case, 10.8.0.1 13:00 < devicenull> yea, I can ping that 13:00 < devicenull> MULTI: bad source address from client [192.168.3.22], packet dropped 13:00 < devicenull> I get a bunch of those, lets see what google says about it 13:01 < devicenull> and now it's magically working with no changes 13:17 < ecrist> plaerzen: it would appear not everyone likes me. Just yesterday: 13:17 < ecrist> 13:52 < jeffspeff> you're a jack ass 13:26 < devicenull> I've got what would seem to be a stupid question.. is there user authenticiation in openvpn? It would seem it just kinda allows any client to connect 13:26 < devicenull> or does it require that the client's keys be signed by the CA I created? 13:32 < devicenull> found the docs :D 13:34 < devicenull> actually it doesnt seem to be adressed that much 13:34 < ecrist> what's not addressed? 13:35 < devicenull> how it does authentitication 13:35 < devicenull> does it allow everyone to connect by default? 13:35 < ecrist> clients cannot connect unless their certificate is signed by the CA Root certificate, or somewhere appropriate within the certificate chain. 13:35 < devicenull> ah, that's what I thought 13:35 < devicenull> thanks :) 14:31 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: rmull 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:06 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:12 -!- CppIsWeird [n=user@unaffiliated/cppisweird] has joined ##openvpn 15:14 < CppIsWeird> is there any way to set up vpn or a network connection at all that when I am at the location it uses the local network, and while I am not at the location, it uses the internet? 15:15 < CppIsWeird> I'm trying to set up on connection and IP that I can use for access to home that is the same weither im here or not so that I dont have to have two instances of everything depending on where I am 15:15 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Nick collision from services.] 15:16 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 15:17 -!- temba [n=okotoba@91-64-108-91-dynip.superkabel.de] has quit [Connection timed out] 15:17 -!- ITguru [n=ITguru@5ac30288.bb.sky.com] has joined ##openvpn 15:18 < CppIsWeird> reason I ask about doing it with openvpn is because I would like the remote access to my home network going through openvpn if any such method is possible. 15:19 < ITguru> openvpn, and network manager are a match made in hell! 15:19 < SilenceGold> uh 15:19 < CppIsWeird> good to know 15:19 < ITguru> I get p12 files from my smoothwall install - and I would like to know where I can find the CA file, so I can use network manager 15:19 < SilenceGold> CppIsWeird you can use VPN tunnels to access remote LAN over the internet if you wanted 15:19 < SilenceGold> just need an endpoint at each sides 15:21 < CppIsWeird> yes, i know this, i wasn't asking that possability, i was asking the possability of openvpn connecting over the internet when I am not at that network and connecting locally when I am on the network in quesiton, that way I can set up services to run through the openvpn IP's when local or remote. 15:22 -!- chemokid [n=chemokid@76-10-182-143.dsl.teksavvy.com] has quit ["fooood"] 15:24 < ITguru> CppIsWeird, that's more of a DNS issue, rather than an OpenVPN issue 15:24 < CppIsWeird> ... how you figure? 15:25 < CppIsWeird> actually... i think i know how you might figure that... 15:26 < CppIsWeird> hmm... so like i should have net.whatever.com and when im outside the network it will go to the dns and get redirected home, and have a dns on the internet network that picks it up and redirects it internally, yes? 15:27 < CppIsWeird> s/internet network/internal network/ 15:27 < ITguru> Something like that 15:28 * CppIsWeird fears dns servers 15:28 < CppIsWeird> anyways, im hungary, thanks for the redirection. later. 15:28 < ITguru> CppIsWeird, DNS servers are a pain in the *** 15:28 -!- CppIsWeird [n=user@unaffiliated/cppisweird] has quit ["FEAR DA DNS!"] 15:29 < ITguru> But i love 'em! 15:29 < ecrist> DNS is not difficult. 15:30 < ITguru> ecrist, it's not difficult, but it's a pain! 15:34 < Dougy|Work> Yay 15:34 < Dougy|Work> new server 15:34 < Dougy|Work> DNS is fun as hell 15:34 < Dougy|Work> until you get a support ticket like I did today 15:34 < Dougy|Work> to do RDNS records for every single IP in a /21 15:35 < Dougy|Work> i wanted to cry 15:44 < ecrist> Dougy|Work: that's scriptable. 15:44 < ecrist> unless you're using a GUI admin console... 15:45 < ecrist> and, as far as a /21, my guess is most of them followed some pattern, which can be done with a proper $GENERATE statement in the config. 15:46 < ITguru> Damn - Dougy|Work I feel for you dude! 15:51 < SilenceGold> I love CLI style for dns records :) 16:07 < Dougy|Work> ITguru: ugh fucking shoot me 16:07 < Dougy|Work> please 16:07 < Dougy|Work> ecrist: IRC vhosts. 16:07 < Dougy|Work> :( 16:09 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:17 < ecrist> Dougy|Work: what? 16:19 < Dougy|Work> ecrist: those RDNS's had no pattern 16:19 < Dougy|Work> every one was a weird IRC vhost 16:19 < Dougy|Work> :( 16:19 < Dougy|Work> took me literally 2 and a half hours to get it all done 16:20 < ecrist> Dougy|Work: still coulda been scripted. 16:20 < ecrist> so, you manually set 2,046 reverse DNS records? 16:21 < Dougy|Work> yeah :'( 16:21 * Dougy|Work has no life 16:21 < devicenull> aand, you didn't script that why :D 16:22 < Dougy|Work> i don't scrip 16:22 < Dougy|Work> t 16:23 < ecrist> could have saved yourself two hours and twenty nine minutes. 16:24 < Dougy|Work> lol 16:24 < Dougy|Work> i dont mind really 16:24 < ecrist> that's a rather large IRC network. 16:24 < Dougy|Work> it was either do that 16:24 < Dougy|Work> its a whole shell provider 16:24 < Dougy|Work> and 16:24 < Dougy|Work> it was either do that or sit here and twiddle my thumbs 16:25 * ecrist votes for thumb-twiddling 16:28 < devicenull> you have internet access, how can you be bored :D 16:29 < Dougy|Work> er 16:29 < Dougy|Work> you'd be surprised 16:29 < Dougy|Work> heh 16:35 < devicenull> no, I wouldn't actually 16:44 -!- Tido [n=tido@216.235.158.34] has joined ##openvpn 16:44 < ecrist> hi, Tido 16:44 < Tido> hey ecrist 16:45 < Tido> so I need to go from completely novice at openvpn to having a working vpn through a firewall I can't control 16:46 < Tido> can I use an openvpn client on the firewalled network to access an openvpn server on another, and thus let me have my access without all this crappy F5 vpn bs? 16:47 < devicenull> that seems to be the general point of a vpn 16:47 < Tido> except it's backwards 16:47 < devicenull> what :o 16:47 < devicenull> no, that doesn't seem backwards 16:47 < Tido> you'd run the server on the network you're trying to connect to usually, right? 16:47 < ecrist> Tido: yes, you can do that. 16:47 < devicenull> Tido: oh yea 16:47 < ecrist> depending on how restrictive the firewall is. 16:47 -!- vladi-bg [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 16:48 < Tido> well, I'm not going to be able to route a port to my box, so I have to connect to a server outside of the network for this to work 16:49 < ecrist> Tido, firewalls can be restrictive out, as well as in. If that's not a problem, there's no reason you can't do what you're looking for with OpenVPN. 16:49 < Tido> it's not restrictive out 16:49 < Tido> just in 16:49 < ecrist> then you're fine. 16:49 < Tido> ok, now just need to figure out how to do it :x 16:49 < vladi-bg> hi, i have two vpn tunnels and when i try to go from one tunnel and ping a host on the other tunnel i trace the packet all the way to the tun device of the destination tunnel but it doesnt seem to go to the other end of the tunnel do i need to do snat or something? 16:50 < Dougy|Work> ecrist 16:50 < Dougy|Work> nslookup ovpnforum.com for me please 16:50 < Dougy|Work> tell me if it returns an IP in the 69. 16:50 < ecrist> ovpnforum.com: not found 16:50 < devicenull> [17:50] [DNS] Canonical: ovpnforum.com Numerical: 69.73.151.150 16:50 < ecrist> ovpnforum.com has address 209.250.239.150 16:50 < ecrist> ovpnforum.com mail is handled by 10 mail.ovpnforum.com. 16:51 < Dougy|Work> hmm 16:51 < Dougy|Work> it works for devicenull 16:51 < ecrist> vladi-bg: I don't follow. 16:51 < ecrist> Dougy|Work: it worked for me, ignore not found. 16:52 < Dougy|Work> ecrist: ok 16:52 < devicenull> dns caching is irrtating isn't it 16:52 < Dougy|Work> yes it is 16:52 < ecrist> set a lower TTL next time. 16:53 < Dougy|Work> directadmin does 14400 by default 16:53 * Dougy|Work replaces it with "500" 16:59 -!- ITguru [n=ITguru@5ac30288.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 17:02 -!- rsc [n=robert@fedora/rsc] has left ##openvpn ["Linux - The future has already started!"] 17:11 < vladi-bg> ecrist: i have office1 >tun0/10.10.0.x< vpnbox >10.8.0.x/tun2< office2 17:11 < vladi-bg> ecrist: and when i do a tshark on tun2 i see the pings comming from 10.10.0.2 but no reply and on the office2 vpn i dont see them as well 17:12 < ecrist> are you routing those networks? 17:12 < vladi-bg> ecrist: yes 17:12 < vladi-bg> ecrist: do i need to have them in the ccd file? 17:13 < vladi-bg> ecrist: i mean it knows to take the path to tun2 its just not going over it 17:14 < ecrist> then it doesn't know. 17:15 < ecrist> if it did, it would take the path. 17:15 < ecrist> is the vpn box your default router in each office? 17:15 < vladi-bg> ecrist: nope 17:15 < vladi-bg> ecrist: there are routs on the default router for the subnets that need to go through the vpn 17:16 < vladi-bg> ecrist: i see the icmp packets on tun2 on the vpnbox just not on tun0 on the vpn server in office2 17:17 < vladi-bg> ecrist: do i have to specifically allow something to go through a tunnel? 17:17 < ecrist> do you have client-to-client enabled in config? 17:17 < vladi-bg> ecrist: like a new subnet 17:17 < vladi-bg> ecrist: yes 17:17 < ecrist> you don't have to say my name with each message. 17:17 < vladi-bg> sorry use to it 17:23 < ecrist> vladi-bg: can you pastebin your client and server configs? 17:23 -!- Tido [n=tido@216.235.158.34] has quit ["Leaving"] 17:27 < vladi-bg> ecrist: so i need client-to-client on a server in order for it to accept packets not originating for the ptp tunnel ip 17:29 < ecrist> no, on the server 17:44 < vladi-bg> ecrist: sorry i just read up on client-to-client i dont think that will fix my problem because in my case i have two diff vpn tunnels / servers 17:45 < vladi-bg> office1/vpnsrv1 > tun0 >< office/vpnclient >< tun1 > office2/vpnsrv2 17:45 < vladi-bg> so i do a ping from office1 to office2 ip space 17:45 < vladi-bg> i can see the pings on tun1 but their source is ip of tun0 17:46 < vladi-bg> so i think tun1 is not passing them through the tunnel 17:46 < ecrist> firewall? 17:46 < vladi-bg> because of some restriction 17:46 < ecrist> vladi-bg: openvpn doesn't really do any restricting in terms of routing. 17:46 < vladi-bg> ecrist: im logging dropped packets and i dont see antyhing being dropped 17:46 < ecrist> that sentence doesn't even make sense. 17:47 < vladi-bg> sorry not english 17:48 < vladi-bg> im loggin dropped packets on my firewal and i dont see anything in logs that is dropped when i try that 17:48 < ecrist> vladi-bg: my guess is that it's not an OpenVPN issue - you're either missing a route on your routing table, or your firewall is dropping the packets. 17:56 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has joined ##openvpn 17:59 -!- lwithers [n=lwithers@chrysocolla.lwithers.me.uk] has joined ##openvpn 17:59 -!- Irssi: ##openvpn: Total of 35 nicks [0 ops, 0 halfops, 0 voices, 35 normal] 18:01 < lwithers> hi, I have an openvpn server instance running on a machine, with "dev tun" and "topology subnet". If a client to this instance is compromised, can this client be used to do anything to the other clients? 18:01 < lwithers> obviously it can route to them, but I mean can it sniff packets or screw with their routing? 18:07 < ecrist> lwithers: how would it screw anything up? 18:15 -!- plaerzen is now known as pla 18:15 -!- pla is now known as plae 18:16 -!- plaerzen [n=user@S010600119505deed.cg.shawcable.net] has joined ##openvpn 18:17 < plaerzen> Hello guys. Just connected via my nokia n810 18:18 < plaerzen> Maemo os 18:19 < lwithers> ecrist: I don't know, that's why I'm asking -- basically I'm trying to determine the ramifications of a subverted client 18:19 < lwithers> sure, it can connect to services that might only be exposed on the VPN interface of other clients 18:19 < lwithers> but can it do anything else? 18:19 < lwithers> can it be used to intercept passwords sent in "plaintext" across the VPN? 18:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 18:46 < vladi-bg> ok so once a tunnel is established is there anything that will prevent it not passing traffic through given that there is a route for a certain subnet to go through it? 18:47 < vladi-bg> besides the obvious firewall 18:50 -!- plaerzen [n=user@S010600119505deed.cg.shawcable.net] has quit ["Leaving."] 18:55 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has joined ##openvpn 18:56 < ByPasS> its not purely openvpn oriented but any1 know if iptbles can port forward from real server ip inside an openvpn client ? 19:01 -!- temba [i=pommes@91-64-108-91-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:04 -!- plae [n=cam@S010600119505deed.cg.shawcable.net] has quit ["BitchX: Little. Yellow. Better."] 19:35 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:39 < Dougy> no krzy 19:39 < Dougy> :< 19:57 -!- lwithers [n=lwithers@chrysocolla.lwithers.me.uk] has left ##openvpn [] 20:04 < Dougy> ermm 20:04 < Dougy> ecrist: there? 20:32 < ecrist> yep 20:33 < Dougy> sup 20:33 * Dougy is pissed off at Namecheap 20:35 < ecrist> what do you need? 20:36 < Dougy> nothing any more 20:36 < Dougy> i fixed it 20:36 < Dougy> i need to go bitch at namecheap and comodo 20:36 < Dougy> brb 20:36 < Dougy> i cant believe them 20:36 < Dougy> -bash-3.2# openssl req -noout -text -in ovpnforum.com.csr 20:36 < Dougy> Certificate Request: 20:36 < Dougy> Data: 20:36 < Dougy> Version: 0 (0x0) 20:36 < Dougy> Subject: C=US, ST=New Jersey, L=Fair Lawn, O=OpenVPN, OU=Forum, CN=ovpnforum.com/emailAddress=me@douglashaber.com 20:36 < Dougy> i have that 20:37 < Dougy> but the ssl cert they gave me to install (The actual cert) is signed to Localhost in Someplace 20:37 < ecrist> why the fuck would you use an actual CA for an OpenVPN server? 20:37 < Dougy> I'm not 20:37 < Dougy> o.O 20:38 < Dougy> It's for ovpnforum.com 20:38 < ecrist> oh, ok. 20:39 -!- krzee [i=krzee@unaffiliated/krzee] has joined ##OpenVPN 20:39 < Dougy> krzee! 20:40 < Dougy> :d 20:40 < Dougy> but namecheap is pissssssssssing me off 20:40 < krzee> wassssssup 20:40 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 20:41 < Dougy> nm 20:41 < Dougy> oh wtf 20:41 < Dougy> vB is pissing me off now too! 20:41 < krzee> well you sound rather pissed off 20:41 < krzee> me on the other hand... pretty happy 20:41 < Grapsus> Hello ! 20:42 < krzee> hey Grapsus =] 20:43 < ecrist> Dougy: why'd you buy an SSL cert for ovpnforum.com? 20:44 < krzee> ive never even considered buying an ssl cert for anything, wouldnt unless i planned on doing e-commerce 20:44 < krzee> ild go self-signed 20:44 < ecrist> it's what I did. 20:44 < Grapsus> What are you chatting about ? 20:44 < krzee> yup ecrist, ild do the same as you personally 20:45 < Dougy> ecrist: I didn't 20:45 < Dougy> www.namecheap.com 20:45 < krzee> Grapsus, Dougy is gunna start an openvpn forum 20:45 < Dougy> free :) 20:45 < krzee> Grapsus, but if you need help with anything feel free to interrupt =] 20:46 < Grapsus> krzee: I don't actually need help 20:46 < krzee> ahh ok 20:46 < krzee> just thought ild offer that ;] 20:46 < Grapsus> openvpn is doing great job for me, so I joined this channel to help someone if needed 20:46 < Dougy> :) 20:47 < krzee> Grapsus, very cool 20:47 < krzee> !menu 20:47 < vpnHelper> krzee: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 20:48 < krzee> those might help you when helping people 20:48 < Dougy> !forum is gonna be there soon 20:48 < Dougy> :o 20:48 < vpnHelper> Dougy: Error: "forum" is not a valid command. 20:48 < Dougy> oh shut up 20:48 < Dougy> lol 20:48 < krzee> hehe 20:49 < Grapsus> a forum would be cooler than the mailing list for simple questions for people who just start with ovpn 20:49 -!- mode/##openvpn [+o Grapsus] by ChanServ 20:49 < krzee> yup 20:49 < krzee> we also have a wiki 20:49 < krzee> for making writeups for things we commonly help people with 20:50 < krzee> ie: 20:50 < krzee> !route 20:50 < vpnHelper> krzee: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 20:50 < krzee> the writeup i made to help people understand route, iroute, push, ccd 20:51 < krzee> ecrist runs the wiki but its public editable 20:51 < Dougy> Grapsus: I agree 20:51 < Dougy> I want no personal gain out of it other than something fun to do 20:52 < Dougy> well 20:52 < Dougy> http://ovpnforum.com/ 20:52 < Dougy> yeah, nothing's been done yet, not even forums 20:52 < Dougy> but if you guys feel like joining now float your boat 20:53 < ecrist> you pay for vbulletin? 20:53 < Dougy> ecrist: already had it 20:53 < Dougy> that license has literally been sitting for 4 months 20:53 < Dougy> I paid $90 for the year in Dec 07 20:56 < krzee> ecrist, supybot can plugin to the forum to give us updates on forum entries, we can play with that to see if its annoying or not 20:56 < krzee> #aircrack-ng uses it and its great in there 20:56 < ecrist> krzee: up to you, I'm not running this joint. 20:57 < krzee> well ya but you are here helping often, ild like to get a consensus from those who are around helping on it 20:58 < krzee> cause if its going to help more people it's good, but if its gunna cause some who are here helping to pay less attention then its bad 20:58 < Dougy> By the way guys 20:58 < Dougy> If you wanna suggest forums for me to add, please do' 20:59 < krzee> ecrist, basically im just saying i will value your opinion on that 20:59 < krzee> when i get it up 21:02 < Dougy> so real fast guys.. 21:02 < Dougy> What are some forums I should add? 21:03 < krzee> just figure it out as you go 21:04 < krzee> im gunna join when im home so i can save the pw into my crowser 21:04 < krzee> browser 21:05 < krzee> likely in a couple days... tonight i got a girl, tomorrow is my bday 21:06 < Dougy> Righto 21:06 < Dougy> Haha krzee gonna get some huh? :P 21:06 < Dougy> And since I won't see you tomorrow (probably), happy birthday :) 21:06 < krzee> yup 21:06 < krzee> hehe 21:06 < krzee> and thanx 21:06 < krzee> ill prolly be on a lil during the day, but at night definatly not 21:06 -!- rmull_ [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 21:06 < rmull_> Woah, we have to be identified now? 21:07 -!- rmull_ is now known as rmull 21:07 < Dougy> sup rmull 21:07 < Dougy> ooo 21:07 < Dougy> New jersey? 21:07 < Dougy> :O 21:07 < rmull> Yessir 21:07 < Dougy> Badass. 21:07 < Dougy> :D 21:07 < rmull> :\ 21:07 < Dougy> I work in Secaucus 21:07 < rmull> Why do you say that? 21:07 < rmull> Ohh, shit 21:07 < Dougy> word. 21:07 < rmull> I was looking at scoring some colo space in secaucus. 21:07 < Dougy> Haha. 21:07 < Dougy> How much d'ya need? 21:08 < rmull> Initially? 1-5U. Down the road, possibly a full rack. 21:08 < Dougy> Er. 21:08 < Dougy> We're really really really full now. Like, we don't have half a rack even for colo now. 21:08 < rmull> I was looking at interserver, because they're cheap. Newjerseycolocation.com 21:08 < Dougy> Hahahaha 21:08 < Dougy> I'm in their office *every day* 21:08 < Dougy> we're in the same building 21:08 < rmull> No kidding?? 21:09 < Dougy> Every day 21:09 < Dougy> :P 21:09 < rmull> The dudes with the futon in their office? 21:09 < Dougy> yup 21:09 < Dougy> I was on that futon on Sunday 21:09 < Dougy> o.O 21:09 < rmull> Rofl, that's nuts! 21:09 < Dougy> watching their TV 21:09 < Dougy> lucky bastards 21:09 < rmull> They have a ton of open rackspace 21:09 < Dougy> yeah 21:09 < rmull> I took a brief tour 21:09 < Dougy> their DC (TEB2) 21:09 < Dougy> is 21:09 < Dougy> so insecure 21:09 < Dougy> It's nice but it's insecure 21:09 < rmull> Details? 21:09 < Dougy> you could kick through that door 21:09 < Dougy> those doors 21:09 < Dougy> finger scanners dont mean shit 21:10 < rmull> I knocked and they opened :D 21:10 < ecrist> Dougy: you're wrong, they do. 21:10 < Dougy> Exactly 21:10 < Dougy> ecrist: what? 21:10 < Dougy> rmull: yeah 21:10 < Dougy> if i had a gun and just knocked 21:10 < Dougy> that equipment is mine 21:10 < Dougy> lol 21:10 < Dougy> rmull: We have about 4 racks in the DC behind their office 21:11 < Dougy> Most of our gear is in the XO datacenter in the other side of the building 21:11 < rmull> How's XO? 21:11 < Dougy> Much more secure :p 21:11 < Dougy> And, I like that DC better 21:11 < Dougy> Keycard entry 21:11 < Dougy> and metal doors 21:11 < rmull> Do you know anything about "SOX" or SAS70 datacenter certification? 21:11 * Dougy is on the interserver finger scanner :D 21:11 < Dougy> Negative 21:11 < Dougy> Hey, brb I need to finish setting up OVPNForum 21:11 < Dougy> :D 21:11 < rmull> Swoot 21:12 < rmull> We're going all out these days, I see 21:12 < ecrist> rmull: I do. 21:12 < rmull> ecrist: Ah - our situation is we've got some clients that require their stuff to be hosted in a certified datacenter 21:12 < Dougy> Neither DC is very secure 21:12 < Dougy> honestly 21:13 < rmull> But I was reading through the cert requirements, and it made it seem that the certification pertained not only to the datacenter, but also to the hardware 21:13 < Dougy> there is no security 21:13 < rmull> Is that true? 21:13 < ecrist> rmull: I don't build data centers, but I install access control systems and procedure. 21:13 < rmull> Dougy: Do the colo providers have any theft insurance or anything? :\ 21:13 < Dougy> rmull: no idea but there's no security guards in place 21:13 < Dougy> in either 21:13 < Dougy> XO you have the keycard, you just walk in and have access to the rack 21:13 < Dougy> nobody stops asks 21:14 < Dougy> there's nobody to stop/ask 21:14 < Dougy> at least for the XO one 21:14 < rmull> Interserver had a cage available if you wanted one, for a fee 21:14 < ecrist> that's usually standard procedure. 21:15 < Dougy> rmull: yes 21:15 < Dougy> that cage is nice 21:15 < Dougy> the cooling in there is insufficient though 21:15 < rmull> I noticed 21:15 < Dougy> they're putting in another AC unit in the back left corner 21:15 < Dougy> eg 21:15 < Dougy> AC UNIT | servers servers | AC unit 21:15 < Dougy> door 21:15 < Dougy> the one on the left is getting installed now 21:15 < Dougy> and theres another one along the right 21:16 < rmull> I'm sure that it still beats running our shit in house, though 21:16 < Dougy> Of course 21:16 < Dougy> but 21:16 < Dougy> i mean they rushed in extra cooling for our racks 21:16 < Dougy> as the servers were putting out 190 degrees in exhaust fans 21:16 < Dougy> now its much cooler in there 21:16 < rmull> The problem with us is that (before I came along) we were just a bunch of IT dudes with windows experience that were geeky enough to set up a network but not geeky enough to do it right, so we didn't hire anybody to actually do the network right 21:16 < Dougy> but its still warmer than it needs to be 21:16 < Dougy> haha rmull 21:17 < rmull> Are you buddies with these colo guys? 21:17 * rmull sniffs around for discounts 21:17 < Dougy> We (JustEdgE) don't do colo 21:17 < Dougy> I work for Justedge 21:17 < Dougy> (we originally were owned by same people as interserver, then we broke off) 21:17 < Dougy> so yes, I know the guys there 21:18 < Dougy> i can give you a contact or two 21:18 < rmull> Your website says you do colo <_< 21:18 < Dougy> We do 21:18 < Dougy> but 21:18 < Dougy> we're probably at 98 21:18 < Dougy> % capcity 21:18 < rmull> Oh right right. 21:18 < Dougy> My boss said that I can't sell more than 2-3 U colo 21:18 < Dougy> that's all we have 21:18 < rmull> Lol 21:18 < rmull> That's fairly tight. 21:18 < Dougy> We have plenty of space for dedicated servers 21:18 < Dougy> (TEB2, the InterServer) one 21:18 < Dougy> He doesnt like colo clients in there though. 21:19 < ecrist> from what I've see of your network Dougy, my DSL and rack in my basement are more reliable and probably have better peering... 21:19 < Dougy> ecrist: odds are you're probably right 21:19 < Dougy> however 21:19 < Dougy> i replaced the switch in the rack my server was in today 21:20 < Dougy> It was messed up 21:20 < Dougy> I do admit our network has been really borked lately =/ I have nooooooo idea what's causing it 21:20 < Dougy> ecrist: need your advice 21:20 < Dougy> www.ovpnforum.com 21:20 < Dougy> what else do I need (do you think) 21:20 * Dougy is blanking 21:20 < rmull> Dougy: Dev participation? :\ 21:20 < Dougy> rmull: what do you mean 21:21 < rmull> So we have a wiki and junk, and afaik, it's all the irc crowd that will be using it 21:21 < rmull> Any shot of actually getting participation from the ovpn codebase contributors? 21:22 < Dougy> rmull: for what? the forum or the wiki or the? 21:22 < rmull> I guess the forum 21:22 < rmull> The wiki is fine, I'd say 21:22 < Dougy> I would like that.. but.. 21:22 < rmull> I know I know. 21:22 < rmull> Lol 21:22 < Dougy> rmull: when i said what else do I need, I meant like what forums 21:22 < rmull> How about "examples" ? 21:22 < rmull> Maybe too specific? 21:23 < Dougy> If you explain to me what you mean by "Examples" 21:23 < Dougy> Maybe 21:23 * ecrist agrees with rmull 21:23 < ecrist> rmull, check out !freebsd 21:23 < Dougy> !freebsd 21:23 < vpnHelper> Dougy: "freebsd" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 21:23 < rmull> I find it often to be quite helpful to look at working config examples for different network setups 21:23 < ecrist> for a specific example. 21:23 < Dougy> rmull: oh, good idea 21:23 < Dougy> Tutorials too 21:24 < rmull> There are so many ways to config openvpn, it might be helpful to see what people are using that works 21:24 < Dougy> Yep 21:24 < Dougy> Added that forum 21:24 < rmull> ecrist: I've been checking out your ipv6 stuff, and wandered over to the TLDP IPv6 pages 21:24 < Dougy> added Tutorails as well 21:24 < Dougy> Tutorials^ 21:24 < rmull> I've set myself up with an account with Hurricane Electric with the goal of using 6to4 encapsulation 21:24 < ecrist> TLDP? 21:25 < rmull> The Linux Documentation Project 21:25 < rmull> Link: http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x683.html 21:25 < vpnHelper> Title: Prefix lengths for routing (at tldp.org) 21:25 < rmull> Not the root URL, sorry 21:25 < rmull> Has a decent bit of history 21:25 < Dougy> Any more things that came to mind, rmull? 21:25 < rmull> Seems that FreeBSD really did some groundbreaking work with ipv6 development 21:25 < rmull> kudos to them 21:25 < rmull> Dougy: Hmm 21:26 < ecrist> rmull: yeah, they were right in there with the KAME project from almost day 1, iirc. 21:26 < Dougy> (by the way, JOIN! :P) 21:26 < rmull> Dougy: Maybe some custom logo action to replace the vbulletin logo? 21:26 < Dougy> rmull: I'll hire my friend to make one soon 21:26 < Dougy> right now i'm talking about just forums 21:27 < ecrist> Dougy: maybe make some noise on the mailing list, build a following? 21:27 < Dougy> Krzy said he was going to do something like that 21:27 < ecrist> put some 'need-to-know' stuff up there now, send people to read it, they will add more. 21:27 < ecrist> it's how my wiki's slowly been rolling. 21:27 < Dougy> ecrist: Can I post your article(s) with a link to them? 21:27 < Dougy> Some 21:28 < Dougy> wiki things 21:28 < ecrist> otoh, I don't care much if my wiki is popular or used, it's mostly for my own reference. 21:28 < ecrist> Dougy: please just mention and link, don't plagarize. 21:28 < Dougy> I will 21:28 < Dougy> like i'll put the article and say 21:28 < Dougy> Source: 21:28 < rmull> Took me two tries to get the CAPTCHA right 21:28 < rmull> I must be part robot. 21:28 < Dougy> Will that suffice, ecrist? 21:28 < ecrist> Dougy: no 21:29 < Dougy> What do you want me to say then 21:29 < Dougy> ? 21:29 * Dougy will do whatever 21:29 < ecrist> that's not really the purpose of a forum. 21:29 < Dougy> I know 21:29 < Dougy> heh 21:29 < rmull> Yeah, actually... 21:29 < ecrist> a forum is sort of a longer-term IRC session. 21:29 < Dougy> hmm 21:29 < rmull> Perhaps the examples and tutorials belong more in a wiki. 21:29 < Dougy> never heard that analogy before 21:29 < Dougy> Ooh. 21:29 < rmull> Maybe a direct link to secure-computing's wiki in the link bar... 21:30 < Dougy> hahah 21:30 < ecrist> often, forum threads get built into howto/wiki documents. 21:30 < Dougy> i was just typing that, rmull 21:30 < ecrist> or white papers 21:30 < Dougy> So kill the examples and tuts forum, rmull? 21:30 < rmull> Doesn't bother me. 21:31 < ecrist> fwiw, you're welcome to use my wiki, but it's not required. 21:31 < Dougy> ecrist: you're helping me so i'll return it :) 21:31 < rmull> I'd prefer to see tutorials and examples get incubated in the forum and then graduate to the wiki when they're considered "ready" 21:31 < Dougy> i need to think of things I can post 21:31 < Dougy> rmull: that too sounds like a good idea 21:32 < Dougy> Hmm 21:32 < Dougy> I'll write a tutorial on how to install openVPN 21:32 < Dougy> :o 21:32 < rmull> Any of you guys run big fileservers? 21:32 < ecrist> rmull, what's big? 21:32 < rmull> Hmm, 3T or more? 21:32 < ecrist> sorry, 2.7T here. 21:32 < ecrist> :( 21:32 < rmull> Lol, sorry man :\ 21:33 < rmull> What do you have? 21:33 < ecrist> work stuff 21:33 < ecrist> medical claim files 21:33 < rmull> I just added 8 TB drives to my puppy 21:33 < ecrist> nope, nothing that big here. 21:34 < rmull> Now I'm rocking 8x 500G and 8x 1T drives, it's heavy :D 21:34 < ecrist> looking forward to better support for ZFS on FreeBSD soon. 21:34 < rmull> Hmm, yeah, about ZFS: 21:34 < ecrist> 8TB for < $800 21:34 < rmull> At first I was all into it 21:34 < rmull> And was going to run FreeBSD for it 21:34 < Dougy> ecrist: yeah 21:34 < Dougy> Scott from bqinternet knows a LOT about the ZFS 21:34 < Dougy> he uses it 21:35 < ecrist> freebsd support for ZFS is still EXP 21:35 < rmull> But now there's a new GPL'd filesystem in the works that's supposed to be a "ZFS-killer" 21:35 < rmull> called tux3 21:35 < rmull> #tux3 on irc.oftc.net 21:35 < rmull> Still a long ways from completion, but my hopes are high 21:36 < rmull> I guess I'm too much of a stodgy ol' Linux stick-in-the-mud 21:36 < rmull> I tried Solaris once and it did not make me happy. 21:36 < ecrist> freebsd camp is not a fan of GPL 21:36 -!- near [n=near@88-122-26-69.rev.libertysurf.net] has quit [Network is unreachable] 21:36 < rmull> I understand. I am personally not much of a fan of GPL because it contradicts itself. 21:37 < rmull> But the ZFS licensing is (IMHO) not doing me any favors 21:37 < rmull> Of all the licenses I'd say I respect BSD licensing the most. 21:38 < ecrist> agreed 21:38 < rmull> From what I've gleaned from the openbsd lists, /nobody/ outside RMS's camp cares much for the GPL. 21:38 < Dougy> hmm 21:38 < Dougy> I guses I need to tidy this up, but http://ovpnforum.com/showthread.php?p=1#post1 21:38 < Dougy> o.O 21:38 < Dougy> guess^ 21:39 < rmull> Hmm, I'd recommend making a non-admin account to post from, but that's just me being annoying I guess. 21:39 * Dougy shrugs 21:39 < ecrist> rmull: I know some folks that have had a chance to speak with RMS, apparently he's really bright. But as is usually the case, really crazy, as well. 21:39 < Dougy> I don't see the point of that, why do you say that? 21:39 * Dougy may be missing something 21:40 < ecrist> Dougy: I just get an unavailable message. 21:40 < Dougy> ecrist: what? 21:40 < ecrist> Dougy: same reason we don't sit in here as ops. 21:40 < Dougy> ecrist: true. 21:40 < ecrist> Sorry, the board is unavailable at the moment while we are testing some functionality. 21:40 < ecrist> We will be back soon.. 21:40 < Dougy> ecrist: you have it cached 21:40 < Dougy> that's the old server 21:41 < ecrist> oh 21:41 < rmull> Works for me 21:41 * ecrist will look tomorrow. 21:41 < Dougy> non-admin account made 21:42 < rmull> Dougy: What sort of machine is this forum being run on? 21:43 < Dougy> rmull: A vps 21:43 < Dougy> Ever heard of JaguarPC? 21:43 < rmull> Neg 21:44 * rmull googs 21:44 < Dougy> wel 21:44 < Dougy> they're a big company 21:44 * rmull barfs at their website :( 21:44 < Dougy> I use another VPS company (Xen based) owned by the same company 21:44 < Dougy> It's on the $34 www.wowvps.com plan 21:44 < Dougy> but 21:44 < Dougy> I know all teh guys there so they bumped me up ;) 21:44 < rmull> It's all about who you know 21:44 < rmull> Sweet deal 21:45 < Dougy> I know a few people, all awesome 21:45 < Dougy> :) 21:45 < Dougy> I need to hit the sack 21:45 < Dougy> gotta start getting into school sleep schedule 21:45 < ecrist> where/what do you think secure-computing.net is hosted at/on? 21:45 < Dougy> ecrist: i don't have a clue 21:47 < rmull> ecrist: your basement? 21:47 < ecrist> ;) 21:47 < rmull> iphouse.net? 21:48 < ecrist> yep, on both 21:49 < rmull> sweet. 21:49 < rmull> The only website I run is deconfused.org 21:49 < ecrist> power is rock solid, my dsl is rock solid, I control full access to my rack, and I have my own dedicated server room. 21:49 < rmull> Running in a friend's basement on a gentoo VM 21:50 < ecrist> fwiw, if you ever need cheap, high bandwidth colo, www.colopronto.com 21:50 < Dougy> yuck 21:50 < Dougy> colopronto 21:51 < rmull> Elaborate 21:51 < rmull> :P 21:51 < Dougy> who, me? 21:51 < rmull> Yeah 21:51 < Dougy> I've read horror stories about their cancelation policy 21:51 < Dougy> :p 21:51 < rmull> Ahh 21:51 < ecrist> I've got a buddy with a server down there, I use for secondary/backup stuff. 21:51 < Dougy> I hear they're solid 21:51 < ecrist> we pull a consistent 30Mbps 21:51 < Dougy> but i also hear canceling is murder 21:52 < rmull> ecrist: What's he paying monthly? 21:52 < ecrist> 1u server, 29.99/month, iirc 21:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 21:53 < ecrist> he seeds freebsd torrents and such 21:53 < rmull> I guess none of these places let you run a torrent seedbox, right? 21:53 < ecrist> the only problem we've had is that they get UCEPROTECT level 3 listed once in a while. 21:53 < rmull> Whoops, I mean for copyright-infringing torrents 21:53 < Dougy> hah 21:53 < Dougy> Just get a box at FDC 21:54 < rmull> FDC? 21:54 < Dougy> www.fdcservers.net 21:54 < ecrist> rmull: I'm grown, and so are most of my friends. I have a job, make my share of money, so I pay my share for things I use. 21:54 < ecrist> I stopped stealing stuff *years* ago. 21:54 < Dougy> You can actually get 20 TB of bandwidth on those $150 a month servers, rmull 21:55 < Dougy> http://www.fdcservers.net/Services/DedicatedServers/100MbitUnmeteredservers <-those 21:55 * ecrist goes away 21:55 < vpnHelper> Title: FDC - Services - Dedicated Servers :: Dedicated servers, Colocation chicago, Virtual dedicated servers, Dedicated server forums, virtual dedicated server forums, VDS, VPS, virtual private servers (at www.fdcservers.net) 21:55 < rmull> ecrist: :\ 21:55 * Dougy has nothing illegal on his PC 21:56 < rmull> We can talk about something else. I do not mean to annoy people. 21:58 * Dougy shrugs 21:58 < Dougy> im brainstorming for the forum 21:58 < rmull> Dougy: My biggest concern is whether or not people will actually use it 21:58 < Dougy> rmull: every website i've ever run has been a tragic failure 21:58 < rmull> I mean, between the mailing list, IRC, and the new wiki, there's a lot of help already 21:58 < Dougy> so i'm prepared for it 21:58 < rmull> That's a little depressing :\ 21:58 < Dougy> Not really 21:59 < Dougy> I just figure after all these fuck ups, one will do decent. 21:59 < Dougy> "{ 21:59 < Dougy> :( 21:59 < rmull> If you can somehow get a decent groundswell, maybe it's worthwhile to talk to the maintainers of the openvpn website and get a link posted 21:59 < Dougy> Yup. 21:59 < Dougy> I hope so, I'll do all I can 22:01 < rmull> I wormed my way into running a forum for this one paintball company back when I was 14 22:01 < rmull> It was pretty sweet 22:01 < Dougy> Nice 22:01 < Dougy> I'm only a year older than that 22:01 < Dougy> so 22:01 * Dougy shrugs 22:01 < rmull> The eventually went out of business due to legal pressure from The Man, but they sent me two baseball hats for all my work 22:01 * rmull score 22:02 < Dougy> :( 22:02 < Dougy> Well. 22:02 < Dougy> I just hope this site does something. I really do. 22:02 < rmull> Why? 22:02 < rmull> Not to be negative or anything 22:03 < rmull> Lol 22:03 < Dougy> I want to be able to say I helped something go 22:03 < Dougy> and i want that something to not be a complete failure 22:03 < rmull> Yes, that would be nice 22:03 < rmull> There are a lot of opportunites for things like that with open source communities 22:03 < Dougy> Yup 22:04 < Dougy> I think this has a chance.. everyone here is nice 22:04 < rmull> I've noticed that. 22:04 < rmull> Heh 22:04 < rmull> I hang out in a few other channels but I don't shoot the shit in them. 22:04 < Dougy> ah 22:05 < Dougy> Wow. 22:05 < Dougy> This girl just clicked "Yes" on a facebook app to date me 22:05 < Dougy> My friend who I showed her pic said 22:05 < Dougy> "more like a hump and dump hit and quit bag and tag" 22:05 < Dougy> Hah. 22:05 < rmull> Hmm 22:06 < Dougy> yeah, everyone in here is nice that i've spoken to so far 22:06 < Dougy> (Krzy, SilenceGold, ecrist, and you) 22:06 < rmull> Maybe you could impress her with your knowledge of IP routing and public key cryptography. 22:06 < rmull> :D 22:06 < Dougy> LMFAO. 22:06 -!- jeev [n=j@unaffiliated/jeev] has joined ##openvpn 22:06 < Dougy> "Babe, I have one mean router that can send large quantities of packets!" 22:06 < Dougy> "Oh doug!" 22:06 < Dougy> "Yeah. *coolface*" 22:06 < jeev> lol 22:07 < rmull> Gets em every time 22:07 < rmull> I do hate facebook apps with a passion though. 22:07 < Dougy> Eh, some are OK 22:07 < rmull> It's nice to see that something potentially good came out of one for once. 22:07 < jeev> hey guys, i regularly use mpd on freebsd.. so i was told openvpn is perfect for linux.. i set up a client and server, i connect just fine.. but if i want openvpn to act as my default gateway, do i need any different config ? 22:07 < Dougy> jeev: do you mean route all traffic through the VPN? 22:07 < jeev> yes sir 22:07 < rmull> jeev: You'll need the "redirect-gateway" directive in your server.conf 22:07 < Dougy> see 22:08 < Dougy> This is the perfect use for the forum :< but everyone just comes here 22:08 < Dougy> instead 22:08 < Dougy> :( 22:08 < jeev> its easy! 22:08 < rmull> jeev: Well, sortof 22:08 < rmull> THere are "caveats" 22:08 < rmull> Which are outlined in the howto 22:08 < rmull> !howto 22:08 < vpnHelper> rmull: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:08 < Dougy> !forum 22:08 < vpnHelper> Dougy: Error: "forum" is not a valid command. 22:08 < rmull> But it should do what you want. 22:08 < Dougy> :( 22:08 < jeev> hmm 22:09 < jeev> what is it considered? so i could look for it in the howto, 22:09 < rmull> jeev: I'll get you a link. 22:09 < jeev> routed vpn ? 22:09 < rmull> jeev: http://openvpn.net/howto.html#redirect 22:09 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 22:09 < rmull> HTH. 22:09 < rmull> Dougy: You can use !learn commands with vpnhelper if you want 22:10 < Dougy> krzee: not sure if you'll see this, but, I'm not too worried about that forum bot thing. There won't be that much activity for a while (if at all) 22:10 < Dougy> rmull: i know, but no point yet 22:10 < Dougy> I figure I should erm 22:10 < Dougy> get the logo done and what not 22:10 < Dougy> and maybe find some skin to use 22:10 < rmull> Oh 22:10 < Dougy> Right now they'll look, and just close the browser 22:10 < Dougy> probably 22:10 < rmull> That bad, eh? 22:10 < rmull> :\ 22:11 < jeev> one sec, i'll read it, thanks man! 22:11 < rmull> jeev: GL HF 22:11 < rmull> :p 22:11 < Dougy> rmull: tell me something you see on the forum that makes you want to stay 22:11 < rmull> Though, I'm not sure why the use of mpd requires the redirect-gateway directive 22:12 < rmull> Dougy: Give it a little more time mang, it's too soon 22:12 < Dougy> rmull: exactly 22:12 < Dougy> That's exactly why I haven't used the !learn yet ;) 22:13 < rmull> More initial interest/attention could possibly mean good things, for example, you could have some philanthropic vbulletin whiz with free time that wants to lend a hand because he sees you're trying to get established 22:13 < Dougy> I'll dig around vb.org for a skin tomorrow 22:13 < rmull> On the other hand, you could "crap out a premie" 22:13 < rmull> :\ 22:13 < Dougy> rmull: the chances of that are seldom 22:13 < Dougy> better chance of "oh that'll never amount to anything. *exit*" 22:13 < rmull> I'm running a PunBB forum at http://lug.bu.edu/forum/ 22:13 < vpnHelper> Title: BU LUG Forum (at lug.bu.edu) 22:13 < Dougy> My friend is integrating punBB into Facebook 22:14 < Dougy> o.O 22:14 < rmull> Bleh web2.0 22:14 < Dougy> Meh. 22:14 < Dougy> Well. 22:14 < Dougy> For the forum to ever amount to anything, it would need to be put out there in places where people will see right away 22:14 < Dougy> *and* 22:14 < Dougy> There will need to be a group of a few people already joined waiting to help and stuff. 22:15 < rmull> We'll see how it turns out. 22:15 < Dougy> Indeed. 22:15 < Dougy> Should I SEO the URL's? 22:15 * Dougy doesnt think its necessary 22:15 < rmull> SEO? (sorry, my acronym library is small) 22:16 < Dougy> like 22:16 < Dougy> www.ovpnforum.com/forumname/how-to-install-openvpn-on-centos 22:16 < Dougy> or just www.ovpnforum.com/showthread.php?blah 22:16 < rmull> Ohh. 22:16 < rmull> TBH, that was something I've had internal debates over a number of times. 22:17 < rmull> Because on one hand, I dislike URL pollution 22:17 < rmull> OTOH, it's nice to get a small preview about what you're about to click on. 22:17 < Dougy> Yeah. 22:17 < Dougy> I think it's ugly and ew 22:17 < Dougy> but it does help with SERP (search engine positioning) 22:17 < rmull> I hadn't even considered that. 22:18 < Dougy> It definitely does help with that 22:18 < Dougy> it's just forums dont necessarily need it 22:18 < Dougy> but for example, my hosting blog www.hostingrealm.com 22:18 < Dougy> It gets really good search engine positioning 22:18 < Dougy> http://www.google.com/search?q=directadmin+install+guide&btnG=Search&hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&hs=y1q&sa=2 22:18 < vpnHelper> Title: directadmin install guide - Google Search (at www.google.com) 22:18 < Dougy> #3 22:19 < Dougy> http://www.google.com/search?hl=en&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aunofficial&hs=P2q&q=webmin+install+guide&btnG=Search 22:19 < vpnHelper> Title: webmin install guide - Google Search (at www.google.com) 22:19 < Dougy> #7 22:19 < rmull> vpnHelper: You need to xrl or tinyurl long urls, dude 22:19 < vpnHelper> rmull: Error: "You" is not a valid command. 22:19 < rmull> :P 22:19 < Dougy> :P 22:20 < Dougy> there's so many decisions man 22:21 < rmull> 7 more days, then I hit my first "bicentennial" - 200 days of uptime :D 22:21 * rmull knocks on wood 22:22 < jeev> ok lets see 22:23 < jeev> that att commercial is hilarious 22:23 < Dougy> rmull: heh 22:23 * Dougy vmsplice exploits rmull's server 22:23 < jeev> heh 22:24 < rmull> Dougy: Gotta get local first. :P 22:24 < jeev> i dont get how the certificate authentication works 22:24 < jeev> if i have all the certs on the server, which do i need to bring over ? 22:25 < rmull> To the client? 22:25 < jeev> # Issues exist with respect to pushing DNS addresses to Windows clients., damn pretty big caveat lol 22:25 < jeev> yes 22:26 < rmull> jeev: http://openvpn.net/howto.html#pki 22:26 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 22:26 < rmull> Scroll down to "Key Files" 22:26 < rmull> You should see a matrix that tells which machines need which keys/certs 22:26 < jeev> ok, so i guess this is my reason why i want a vpn 22:26 < jeev> i go to a lot of different places and i'd just rather connect to my server (securely) 22:26 < jeev> i guess that seems to be a good enough reason? 22:26 < rmull> Sure, seems like it 22:26 < jeev> assume that openvpn will provide me the proper encryption and security, right ? 22:27 < rmull> It should. 22:27 < rmull> Hold on though, if you just want to connect to your server, why not just use SSH? 22:27 < jeev> woo, hoo. 22:27 < jeev> no 22:27 < jeev> not connect to server 22:27 < jeev> i just want to browse the web and do everything that i do.. aim, irc securely 22:27 < jeev> i'm in hotels and crap 22:27 < jeev> i dont trust that stuff 22:27 < rmull> Oh, okay. 22:27 < jeev> so i'd rather vpn, right ? 22:27 < rmull> I'd say so. 22:27 < jeev> i got spare bandwidth on some nice colo's, might as well. 22:27 < Dougy> Lucky guy 22:28 < rmull> You can make a dynamic SOCKS proxy with SSH but then you'd need to config each app to use that proxy, which is annoying 22:28 < jeev> you're luckier, you have optonline! 22:28 < rmull> So OpenVPN would be nicer. 22:28 < jeev> yea rmull 22:28 < jeev> is it possible to enable the option to use it as a gateway 22:28 < jeev> and have the client decide? 22:28 < rmull> Decide? 22:28 < rmull> You can set your own routes as client 22:29 < jeev> so i wouldn't require the redirect-gateway clause ? 22:29 < rmull> I'm not sure specifically what that directive does - as far as I know, it just sets a routing rule on the clients that connect to it. 22:29 < rmull> Someone please correct me if I'm wrong. 22:29 < jeev> ahh 22:29 < Dougy> jeev: what do you mean 22:30 < rmull> Good question :D 22:30 < jeev> for example, if i use MPD in bsd 22:30 < jeev> if i connect, it'll try to send me out the freebsd network because by default 22:30 < jeev> 'use gateway on remote network' is selected 22:30 < jeev> i can't find the option in windows for that for the interface which i'm assuming is lan 5.. 22:30 < jeev> maybe for this computer, i dnot want * to go out the default on the remoet network 22:30 < jeev> but on my laptop, i will.. therefor, i wouldn't want to force all clients to via server.conf 22:31 -!- jeev [n=j@unaffiliated/jeev] has left ##openvpn [] 22:32 * rmull is confused 22:34 -!- jeev [n=j@unaffiliated/jeev] has joined ##openvpn 22:34 < jeev> wow 22:34 < jeev> did i get kicked? 22:34 < rmull> yes 22:34 < jeev> heh 22:34 < Dougy> you parted 22:34 < rmull> well, kicked? no 22:34 < jeev> how 22:34 < jeev> i didn't even realize 22:34 < jeev> i didn't see ANYTHING heh 22:34 < rmull> damn IRC gnomes 22:35 < jeev> hehe 22:35 < jeev> so did you guys get what i said 22:35 < Dougy> what did you say 22:36 < rmull> Last thing you said: but on my laptop, i will.. therefor, i wouldn't want to force all clients to via server.conf 22:37 < jeev> yep 22:37 < jeev> so you guys get what i meant 22:37 < jeev> lol 22:38 < rmull> Maybe you can use that directive in the ccd for the clients you want it to apply to 22:38 < rmull> I've never seen this in the documentation 22:38 < rmull> But it's worth testing 22:39 < jeev> ccd? 22:39 < Dougy> bed 22:39 < Dougy> night 22:40 < jeev> night dood 22:40 < rmull> Dougy: nn 22:40 < rmull> jeev: client-config-dir 22:40 < rmull> Check out the howto, man 22:40 < rmull> ;) 22:41 < jeev> ah 22:41 < jeev> i did! 22:42 < rmull> I'm gonna head out, peace chan 22:42 -!- rmull is now known as rmull_ 22:44 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:44 < jeev> later dood thanks 22:55 < jeev> after disconnecting from the vpn, windows gateway isn't reset.. 23:28 < ecrist> jeev: what version you suing? 23:28 < ecrist> using? 23:28 < ecrist> nothing litigous here. 23:36 -!- Alives [n=Alives@cpe-72-225-212-185.nyc.res.rr.com] has joined ##openvpn 23:38 < Alives> how do you get the TAP driver installed in vista? 23:38 < SilenceGold> it should occur during the installation of the openvpn client 23:38 < Alives> yeah 23:39 < Alives> but then vista says it will not allow the driver installation without it being digitally signed 23:41 < SilenceGold> I am not sure which one..I use the beta one 23:41 < SilenceGold> it did have the digitally signed drivers 23:41 < Alives> hmm 23:41 < Alives> development? 23:42 < SilenceGold> yea 23:42 < SilenceGold> the 2.1.x 23:42 < Alives> nice ill try that 23:42 < Alives> thanks --- Day changed Wed Aug 27 2008 00:10 -!- devicenull [n=devicenu@64.252.135.178] has quit [Read error: 104 (Connection reset by peer)] 00:57 -!- bandini [n=bandini@host123-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:34 -!- rmull_ [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:46 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:17 -!- undertakingyou is now known as u12u 02:42 < kraut> moin 03:22 < krzie> moin kraut 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:18 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 06:18 < thefish> hello 06:38 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 06:39 -!- weedar [n=sikrit@82.194.215.2] has joined ##openvpn 06:44 < weedar> Can I setup an OpenVPN-server that uses an internal DHCP-server to give IP-leases instead of providing it by itself - so OpenVPN can provide IPs in the same scope as the DHCP-server 06:47 < weedar> Put in another way...If I connect to the office-LAN I get an IP from a DHCP-server not accessible from the outside, I want to setup an OpenVPN-server on a server which is world-accessible and that also has access to the DHCP-server 07:15 < ecrist> weedar: yes, using bridging. 07:18 < thefish> i have openvpn client running and connecting fine on a wrt router (roadkill tomato firmware), but i can access vpn resources only from the router itself, not from any router clients (all clients use router as default route) - is there an extra step to do 07:25 < ecrist> there shouldn't be, if I understand your problem correctly. 07:25 < ecrist> sounds like a possible firewall issue. 07:32 < thefish> ecrist: no with iptables logging, they show as accept 08:04 < ecrist> thefish: you don't give me a lot of data to go on... 08:10 < thefish> ecrist: sorry :) busy trying different things here 08:11 < thefish> ecrist: it just wont route to the openvpn net... from the router, i can ping inside the remote net 08:11 < thefish> but from router clients, nothing 08:12 < thefish> from router clients i can still ping internet hosts though 08:12 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 08:12 < plaerzen> harro 08:12 < thefish> so its just the openvpn part that its not routing 08:12 < ecrist> morning, plaerzen 08:12 < thefish> hans bricks? 08:13 < ecrist> thefish: can vpn clients ping the vpn router address? 08:14 < thefish> ecrist: yes, both the lan if (192.168...) and the openvpn tun address (172.16...) 08:15 < ecrist> ok, run a traceroute from one of the lan clients to one of the vpn clients and pastebin it 08:27 < kala> anybody here has option about "Extended Key Usage critical extension" in the X.509 certificates, which OpenVPN could use to authenticate server and client? 08:27 < kala> opinion 08:28 < kala> OpenVPN itself can check the "remote-cert-eku 1.3.6.1.5.5.7.3.1" things, but if I specify this extension as a critical in the certificate the OpenSSL fails with error "unhandled critical extension" 08:31 -!- tcccp [i=hey@223.66.238.89.arpa-addr.in] has joined ##openvpn 08:32 < ecrist> kala, interesting, if you find out, please let me know. 08:35 < ecrist> can I ask, what're you trying to do with the extra extensions? 08:35 < kala> well, it seems that OpenVPN can check the certificate intended usage, by having --remote-cert-eku option in the config file. However, when I *require* that the certificate must not be used for any other purpose, then OpenVPN fails, because OpenSSL fails to verify the certificate. 08:36 < kala> I'm just trying to understand the different options 08:36 < kala> honestly, its not really neccessary to issue certificates with critical extensions 08:37 < kala> so, I guess I'll just drop the subject and will use the non-critical extensions 08:37 < ecrist> my policy is generall KISS. 08:37 < ecrist> !kiss 08:37 < vpnHelper> ecrist: Error: "kiss" is not a valid command. 08:38 < ecrist> !learn Keep It Simple Stupid 08:38 < vpnHelper> ecrist: Invalid arguments for learn. 08:38 < kala> yep, good one 08:38 < ecrist> !learn as Keep It Simple Stupid 08:38 < vpnHelper> ecrist: The operation succeeded. 08:46 < plaerzen> hey guys, I'm going to hang out in #security for a bit... until I find out that it sucks 08:46 < plaerzen> bbl 08:46 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit ["[BX] We drink more beers than Norm on Cheers!"] 08:46 < ecrist> lol 08:57 -!- weedar [n=sikrit@82.194.215.2] has quit [Connection timed out] 09:18 < kala> uh. --tls-verify option says that it should have at most 1 parameter. So, when I have a script and want to pass argument to it, I need to to tls-verify "script.pl argument1". But this gets converted to execve("script.pl argument1", argument2, argument3) syscall and I get "no such file or directory". 09:19 < kala> I'm wondering if Suse has its services by default chrooted or is there something else different 09:54 < Dougy|Work> morning 09:57 -!- KaiForce [n=chatzill@rrcs-96-11-109-38.central.biz.rr.com] has joined ##openvpn 10:04 < kala> the OpenVPN sample verify.cn script recommends to use tls-verify "./verify-cn Test-Client" configuration option. but this fails on OpenSuse with "Verify command failed to execute" error 10:05 * ecrist doesn't know. 10:05 < Dougy|Work> ecrist 10:05 < Dougy|Work> http://www.codinghorror.com/blog/images/tan-lines-from-typical-summer-activities.jpg 10:05 < Dougy|Work> :) 10:06 < ecrist> Dougy|Work: that's been going around for many years. 10:06 < Dougy|Work> i just saw it 10:08 < Dougy|Work> oO 10:08 < Dougy|Work> ecrist: someone I don't know joined the forum 10:08 < Dougy|Work> hah 10:08 < Dougy|Work> krzee: happy birthday 10:11 < cpm> whose birthday? 10:22 < jeev> hey dood 10:22 < jeev> Dougy|Work 10:24 < jeev> Dougy|Work, when i close the connected openvpn window on the windows xp computer, it never sets the gateway back for the original connection.. 10:35 < Dougy|Work> erk 10:35 < Dougy|Work> My bad 10:35 < Dougy|Work> jeev: let me read that :p 10:36 < Dougy|Work> So click disconnect on the VPN thing 10:36 < Dougy|Work> Do you use a client? 10:36 < jeev> what client, when i'm using openvpn, i click right on my client config, start it.. works great, redirect-gateway = win win woo hoo! 10:36 < jeev> then when i click x on the window 10:36 < jeev> i dont have a route anymore to use the regular isp 10:37 < Dougy|Work> Oh. I haven't not used the www.openvpn.se client in ages 10:37 * Dougy|Work forgets how the default openVPN one works 10:37 < Dougy|Work> :< 10:37 < jeev> ahh 10:37 < jeev> that's the gui version ? 10:37 < jeev> i mean i know i got the gui version 10:38 < Dougy|Work> Well, the www.openvpn.se has a nice VPN client 10:38 -!- KaiForce [n=chatzill@rrcs-96-11-109-38.central.biz.rr.com] has quit [Connection timed out] 10:38 < Dougy|Work> Very easy to use 10:38 < jeev> that's wha ti downloaded 10:38 < jeev> but i thought the openvpn dos thing was a part of openvpn 10:38 < Dougy|Work> It is, I think 10:38 < Dougy|Work> It is^ 10:38 < Dougy|Work> http://www.openvpn.se/images/newmenu.png 10:38 < Dougy|Work> Just do that and disconnect if you have the program 10:38 < Dougy|Work> o.O 10:39 < jeev> bna 10:39 < jeev> thats not it 10:39 < jeev> i'm using the actual openvpn program without gui 10:39 < Dougy|Work> :< 10:39 < Dougy|Work> I don' 10:39 < Dougy|Work> I don't remember much about that* 10:39 < Dougy|Work> I don't use Windows, so 10:39 < jeev> ahh 10:40 < jeev> all i know is that it doesn't return local area connection's interface to its previous default gateway 10:40 < Dougy|Work> in ipconfig, is the vpn still connected? 10:41 < jeev> no, when i close it, it's discvonnected 10:41 < jeev> so local area connectino shows 192.168.0.3 for example, with netmask 10:41 < jeev> but no gateway 10:41 < jeev> so i have to ipconfig /renew to get it outgoing again (regular connections) 10:41 < Dougy|Work> Hrm 10:41 < Dougy|Work> I would talk to ecrist on that one 10:42 < Dougy|Work> I only use Linux when i VPN 10:42 < Dougy|Work> So.. I'm not of much use 10:42 < Dougy|Work> I only use Linux really (except here at work) 10:42 < jeev> ah ok 10:42 < Dougy|Work> control + c and my routing is back to normal 10:42 < Dougy|Work> lol 10:43 < jeev> control c doesnt' work for me 10:43 < jeev> i have to x it 10:43 < Dougy|Work> That's on Linux :)) 10:43 < jeev> are you using redirect-gateway 10:43 < jeev> ahh k 10:43 * jeev stabs Dougy|Work 10:44 < jeev> man, i want 4 opteron 270's 10:44 < jeev> cheap on ebay but 10:44 < Dougy|Work> Ew.. 10:44 < jeev> i need to be able to sell the 246's. 10:44 < Dougy|Work> use Intel 10:44 < jeev> i have 3 servers that use opteron 246's 10:44 < Dougy|Work> Core2's are about to drop in price 10:44 < jeev> single core 2ghz, dual each 10:44 < Dougy|Work> at leat 25% 10:44 < jeev> i know but i got these servers 10:44 < Dougy|Work> if not more 10:44 < Dougy|Work> Ah 10:44 < jeev> the dual is 54 bux each shipped 10:44 < jeev> i need 4 10:44 < jeev> but i dont want to buy it 10:44 < jeev> i really dont need it. but i want it 10:44 < jeev> i can wait. 10:44 < Dougy|Work> meh 10:44 < Dougy|Work> Intel is nice 10:44 < Dougy|Work> <3 Nehalem 10:45 < jeev> heh 10:45 < jeev> moo: os: Microsoft Windows XP Professional - Service Pack 3 (5.1.2600) up: 2days 15hrs 9mins 27secs cpu: Intel Pentium III Xeon processor (x86) at 3800MHz (2% Load) gfx: NVIDIA GeForce 8800 GTS 512 512MB res: 1920x1200 32bit 60Hz ram: 665/3582.4MB (18.55%) [||--------] hdd: C:\ 95.2GB/146.48GB D:\ 2.07GB/58.59GB F:\ 35.49GB/372.61GB H:\ 84.86GB/232.88GB I:\ 18.87GB/127.71GB J:\ 221.27GB/449.68GB net: Realtek RTL8168_8111 PCI-E Gigabit Ethernet NIC - Packet Sc 10:45 < jeev> but i do get random crashes 10:45 < Dougy|Work> yeah, i got XP here too 10:45 < jeev> i need to drop it 200mhz 10:45 < Dougy|Work> (work) 10:45 < jeev> my friend oc'd it 10:45 < Dougy|Work> OS: WinXP Professional 5.1 SP3 (Build #2600) CPU: Intel Pentium 4 , 3.01 GHz, 1024KB Video: (1280x1024x32bpp 1Hz) Sound: Realtek AC97 Audio Memory: Used: 1038/2032MB Uptime: 1w 6d 17h 37m 55s HD: Free: 150.28 GB/186.30 GB Connection: @ 0 bps (Rec: 0.00MB Sent: 0.00MB) 10:45 < jeev> said my fan isn't good enough 10:45 < jeev> said it's stock that's why 10:45 < jeev> lol 10:45 < jeev> i wanted the e8600 but couldn't find it 10:45 < jeev> so got the 8500 10:45 < Dougy|Work> nice 10:45 < jeev> had the q6600, hated iot 10:45 < jeev> it 10:45 < Dougy|Work> why? 10:46 < jeev> slower per core 10:46 < jeev> i noticed it 10:46 < Dougy|Work> oh see 10:46 < Dougy|Work> I don't even use this P4 to 50% 10:46 < Dougy|Work> So, I really wouldn't know 10:46 < jeev> ahh 10:47 < jeev> either way, i like it 10:47 < jeev> i just need to package it up 10:47 < jeev> for friends and stuff 10:50 < Dougy|Work> ah 10:51 < Dougy|Work> jeev: do you use FF3? 11:07 -!- rmull [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has joined ##openvpn 11:07 -!- rmull is now known as rmull_ 11:08 < Dougy|Work> rmull_ 11:08 < Dougy|Work> guess where I am 11:08 < rmull_> On the futon? :P 11:08 < Dougy|Work> indeed 11:08 < Dougy|Work> on my laptop 11:08 < Dougy|Work> :o 11:08 < rmull_> Haha 11:08 < Dougy|Work> its nice to be able to go in whenever I want 11:08 * Dougy|Work has acces to the finger scanner 11:08 < Dougy|Work> access^ 11:09 < rmull_> I just kick the door in whenever I want futon access 11:09 < Dougy|Work> lmfao 11:09 < Dougy|Work> yeah that would work too 11:09 < Dougy|Work> mine is just less invasive 11:09 < Dougy|Work> lol 11:10 < rmull_> Why do you chill there? Access to your machine in the DC or something? 11:10 < Dougy|Work> I work here :S 11:11 < Dougy|Work> The company I work for has equip in both dc's 11:11 < Dougy|Work> We have an extra guy, so I'm chilling here (TEB2) because we have an extra guy, so I can just solely staff thisDC 11:11 < rmull_> ahh. 11:12 < Dougy|Work> besides 11:12 < Dougy|Work> who doesnt wanna have a big tv and a futon to kick back on at work the whole day 11:12 < Dougy|Work> lol 11:12 < rmull_> Seriously. 11:12 < rmull_> What kind of connection do they provide to those in the office? 11:12 < Dougy|Work> What do you mean? 11:13 < Dougy|Work> http://www.speedtest.net/result/308618194.png 11:13 < Dougy|Work> that's from my desk (that i'm rdp'ing into) 11:13 < rmull_> That's what I mean :o 11:14 < Dougy|Work> that's slow as hell 11:14 < Dougy|Work> lol 11:14 < Dougy|Work> if I wire myself to the OS install network 11:14 < Dougy|Work> I get double it 11:14 < rmull_> That's sick 11:15 < Dougy|Work> <@Fatal_Work> *exec x=0.9999999999999999999999999999; y=x*10; y=y-x; y=y/9; "x equal #{y}" 11:15 < Dougy|Work> <~Purgatory> x equal 1.0 11:15 < Dougy|Work> o.O 11:15 < Dougy|Work> so apparently now 0.99 equals 1 11:17 < rmull_> You broke math 11:17 < Dougy|Work> http://en.wikipedia.org/wiki/0.999 11:17 < vpnHelper> Title: 0.999... - Wikipedia, the free encyclopedia (at en.wikipedia.org) 11:17 < Dougy|Work> apparently not 11:21 < Dougy|Work> lol 11:21 < Dougy|Work> rmull_: someone I don't know joined the forum 11:21 < Dougy|Work> o.O 11:24 < rmull_> OH snap 11:25 < rmull_> Matt 11:25 < rmull_> Hmm 11:25 < rmull_> Did you check their IP agains the forum spam databases? Lol 11:26 < Dougy|Work> yes 11:26 < Dougy|Work> it's a centurytel IP 11:26 < Dougy|Work> prob not spam 11:26 < Dougy|Work> oh rmull_ 11:26 < Dougy|Work> https://ovpnforum.com 11:26 < Dougy|Work> o.o 11:27 < rmull_> Did you pay for that? 11:27 < rmull_> The cert, I mean 11:27 -!- ChanServ changed the topic of ##openvpn to: Home Page: http://openvpn.net | HowTo: http://openvpn.net/howto | Current Release 2.0.9 | Wiki: https://www.secure-computing.net/wiki/index.php/OpenVPN | Pastebin your copy over 5 lines. | Don't feed the trolls. | Forum: https://ovpnforum.com 11:27 < rmull_> Thanks chanserv :) 11:30 < Dougy|Work> rmull_: nah 11:30 < Dougy|Work> its a $50 cheapo cert, I got it for free 11:31 < ecrist> Dougy|Work: hook me up with a free cert. 11:34 < rmull_> Dougy|Work: I was asking because it's not included in FFox3 11:34 < rmull_> So if I paid, I'd have felt bad 11:35 < ecrist> rmull_: it was included in my FF3. 11:35 < ecrist> nm, it's not included on my Mac FF3 11:35 < Dougy|Work> yeah 11:35 < Dougy|Work> my FF3 supports it 11:35 < Dougy|Work> some do some don't 11:35 < Dougy|Work> It's a Comodo one too. :S 11:39 < Dougy|Work> :( 11:39 < Dougy|Work> rmull_: Namecheap hands em out free 11:41 < rmull_> Browser-included? 11:43 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:43 < jeev> yea Dougy|Work, i do 11:43 < jeev> sorry i forgot 11:43 < jeev> i use ff3 11:43 -!- xattack [i=invitado@132.248.108.239] has quit [Remote closed the connection] 11:44 < jeev> i'll be back in a bit 11:45 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 12:00 < Dougy|Work> rmull_: what? 12:01 -!- oxygene [n=oxygene@khepri.openbios.org] has joined ##openvpn 12:07 < oxygene> hi 12:08 < Dougy|Work> hi 12:08 < Dougy|Work> what's pu 12:08 < Dougy|Work> up^ 12:18 -!- bandini [n=bandini@79.16.109.123] has joined ##openvpn 12:20 -!- Irssi: ##openvpn: Total of 39 nicks [0 ops, 0 halfops, 0 voices, 39 normal] 12:20 < oxygene> I'm having issues with my openvpn client (2.0.9 installer on win32). it disconnects every 2 minutes (or so) from the server, with the server complaining about LZO errors.. comp-lzo is the same on both sides, and there's no related warning 12:20 < oxygene> any ideas? 12:21 < ecrist> can you paste your lzo errors? 12:22 < oxygene> Bad LZO decompression header byte: 42 12:22 < oxygene> several times, then timeout and reconnect. for 20-40 seconds, the connection works, then the issue shows up again 12:22 < ecrist> try disabling lzo 12:24 < oxygene> there are more clients (that I don't have access to), mine is the only one making trouble, so I can't easily mess around with the server 12:24 < Dougy|Work> what windows is this? 12:25 < oxygene> XP Pro SP3 12:25 < Dougy|Work> I run the same and never had that issue 12:25 < Dougy|Work> Try reinstalling LZO 12:25 < oxygene> I didn't have it last week, either :) 12:25 < Dougy|Work> Install any Windows updates lately? 12:25 < ecrist> oxygene: reinstall lzo on your client 12:25 < oxygene> hmm.. one for IE7 12:26 < Dougy|Work> Yeah, reinstall LZO again 12:26 < oxygene> hmm. isn't it statically linked? (2.0.9 installer) I can't find a dll, at least 12:27 < Dougy|Work> Not that I know of 12:28 < ecrist> no, I don't think it is. 12:32 < oxygene> no, sorry - no lzo.dll 12:34 * ecrist goes away. 12:37 < Dougy|Work> o.O 12:37 < Dougy|Work> Haha 12:44 -!- gongoputch [n=kseel@74.95.184.161] has quit [Read error: 104 (Connection reset by peer)] 12:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 13:08 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 13:28 -!- scampbell [n=scampbel@199.105.195.156] has joined ##openvpn 13:50 < Dougy|Work> hey 13:50 < Dougy|Work> Anyone ever set up openVPN tun on Virtuozzo? 13:52 < jeev> nnop 13:55 < Dougy|Work> damn 13:55 < Dougy|Work> im setting it up to route all traffic thru it 13:55 < jeev> heh 13:55 < Dougy|Work> and getting this: 13:56 < Dougy|Work> root@redrocket [/etc]# iptables -t nat -A POSTROUTING -s 172.16.0.0/26 -o venet0 13:56 < Dougy|Work> -j MASQUERADE 13:56 < Dougy|Work> iptables: Unknown error 4294967295 13:56 < jeev> huh 13:56 < jeev> hrmf 13:57 < jeev> iptables -t nat -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE 13:57 < jeev> that's what i'm doing 13:57 < jeev> your virtual thing maybe doesn't support it 13:57 < jeev> what kernel ? 13:57 < ecrist> what's the google say? 13:59 < ecrist> Dougy|Work: you need to get away from VPSes 13:59 < ecrist> :\ 14:02 -!- syslogd [n=syslogd@unaffiliated/syslogd] has joined ##openvpn 14:02 < syslogd> Hello. 14:03 < jeev> killall -9 syslogd 14:03 < syslogd> I do not know if this is a OpenVPN-related issue but building a certificate is giving me this message: 14:04 < syslogd> error on line 143 of /usr/share/openvpn/easy-rsa/openssl.cnf 14:04 < syslogd> 18987:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 143 14:04 < syslogd> jeev: no, please not :) 14:09 < ecrist> I would look at line 143 of your /usr/share/openvpn/easy-rsa/openssl.cnf file 14:09 < ecrist> -.- 14:10 < syslogd> I have already done so. It contains: commonName_default = $ENV::KEY_CN 14:10 < syslogd> Probably KEY_CN is not set. 14:10 < syslogd> But there is no variable with the name KEY_CN predefined in the file "vars" 14:13 < ecrist> then, it would be null. 14:13 < ecrist> no, KEY_CN needs to be defines. 14:13 < ecrist> syslogd: you on freebsd? 14:13 < syslogd> No, Gentoo. 14:13 < ecrist> !ssl-admin 14:13 < vpnHelper> ecrist: "ssl-admin" is https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:13 < ecrist> nm 14:15 < syslogd> Will this tutorial also work on Gentoo? 14:15 < syslogd> I think the paths are different here. 14:17 < ecrist> mostly, yes 14:17 < ecrist> I've never done it on Gentoo. 14:17 < ecrist> linux is ftl. 14:24 < Dougy|Work> ecrist: this VPS isn't for me 14:24 < Dougy|Work> and the money I make doing what I do barely lets me get a VPS 14:24 < Dougy|Work> I get no staff discount, and I get paid like shit 14:24 < ecrist> DSL in your basement. 14:24 < ecrist> ;) 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- dfas [n=none@10.201.216.81.static.s-o.siw.siwnet.net] has joined ##openvpn 14:45 < dfas> when being connected to a vpn network, will my other internet activity from that computer also travel over the vpn-server? 14:48 < Dougy|Work> not always 14:48 < Dougy|Work> you can configure it to route all traffic through it 14:48 < Dougy|Work> ecrist: HAHAHAHHAH 14:48 < Dougy|Work> you'e funny 14:49 < dfas> Dougy|Work: whats the default? 14:49 < Dougy|Work> dfas: not to 14:49 < Dougy|Work> !menu 14:49 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download 14:49 < dfas> can I find it out? traceroute maybe? 14:49 < Dougy|Work> dfas: what do you mean 14:50 < Dougy|Work> !push 14:50 < vpnHelper> Dougy|Work: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 14:50 < dfas> Dougy|Work: find out if my general internet traffic goes via vpn or not. 14:50 < Dougy|Work> if it does, your ip will change 14:50 < Dougy|Work> and if you were signed into msn etc 14:50 < Dougy|Work> you'd have to re sign in when you connected to the vpn 14:51 < dfas> nice way of checking :P thanks 14:53 < Dougy|Work> L( 14:53 < Dougy|Work> .. 14:53 < Dougy|Work> :) 15:03 -!- scampbell [n=scampbel@199.105.195.156] has quit [Read error: 104 (Connection reset by peer)] 15:28 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 15:41 -!- MolePrince [n=m0ntag@c-24-8-178-10.hsd1.co.comcast.net] has joined ##openvpn 15:42 < MolePrince> Hello, when I VPN into my home network from a remote Linux laptop, I cannot see my workgroup or any of my machines here. How may I fix this please? I can ping them all. 15:50 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 16:02 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 16:02 < krzee> i take it you mean windows shares 16:03 < Dougy|Work> krzee! 16:03 < krzee> in which case, it uses NETBIOS, which goes by MAC address and not IP adress 16:03 < Dougy|Work> isn't it your birthday? 16:03 < krzee> yup =] 16:03 < Dougy|Work> happy bday ^^ 16:04 < jeev> i thought i was the only lamer that was on irc during bday 16:04 < krzee> MolePrince, you either need a bridge so you can do NETBIOS, or a WINS server 16:04 < krzee> lol jeev, nope you arent alone 16:04 < jeev> :> 16:04 < krzee> Dougy|Work thanx man =] 16:05 < Dougy|Work> krzee: a random person joined the openvpn forum 16:05 < Dougy|Work> :o 16:18 < MolePrince> krzee: Which method is preferred? I am very new to VPN 16:18 < krzee> well really thats up to you 16:19 < krzee> a WINS server translates NETBIOS name to IP address, much like an NS 16:19 < krzee> err, a name server 16:19 < krzee> a bridge makes it seem like the machines are on the same switch 16:19 < MolePrince> Ah, so. I think Samba may some option regarding WINS. 16:19 < krzee> i dont do either cause i dont use windows 16:20 < krzee> oh you use samba on linux for your windows filesharing? 16:20 < MolePrince> krzee: I have Windows laptops for work unfortunately. 16:20 < MolePrince> krzee: Yes, my local server shares Samba folders that I want to access over VPN on a Windows machine. 16:21 < krzee> 1sec 16:21 < MolePrince> Thanks 16:23 < krzee> !learn samba as http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:23 < vpnHelper> krzee: The operation succeeded. 16:24 < krzee> !samba 16:24 < vpnHelper> krzee: "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:24 < krzee> read both of those 16:25 < MolePrince> Will do, thanks. 16:28 < Dougy|Work> gah 16:28 < Dougy|Work> #gnome is being usless and I have a gnome question 16:28 < Dougy|Work> :(((((((( 16:28 < krzee> !forget menu 16:28 < vpnHelper> krzee: The operation succeeded. 16:28 < krzee> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 16:28 < vpnHelper> krzee: The operation succeeded. 16:34 -!- MolePrince [n=m0ntag@c-24-8-178-10.hsd1.co.comcast.net] has quit ["leaving"] 16:38 < Dougy|Work> krzee 16:38 < Dougy|Work> why are you here 16:38 < Dougy|Work> gtfo 16:38 < Dougy|Work> go celebrate 16:38 < Dougy|Work> lol 16:46 < ecrist> Dougy|Work: what am I funny about? 16:54 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 17:07 < Dougy|Work> ecrist: a rack in my basement 17:07 < Dougy|Work> my parents don't even let me keep my desktop on 24/7 17:07 < Dougy|Work> hell they wont even let me have a desktop 17:07 < Dougy|Work> its either keep laptop or get rid of laptop + get desktop 17:07 < Dougy|Work> and its only allowed on while im using it 17:23 < ecrist> didn't realize you were that young. 17:23 < krzee> ya niether did i till he mentioned it 17:23 < Dougy|Work> Haha. 17:23 < Dougy|Work> :p 17:23 < krzee> more mature acting than his age 17:23 * Dougy|Work is 15 17:23 < krzee> why are you here 17:23 < krzee> im stuck to the computer for about 3.5 more hrs 17:23 < krzee> then its celebration time 17:24 < Dougy|Work> krzee: hahah 17:24 < Dougy|Work> don't get too drunkj 17:24 < Dougy|Work> drunk^ 17:24 < ecrist> I get to go to the kid's 1st grade orientation tonight. 17:24 < Dougy|Work> Ew 17:24 < Dougy|Work> why 17:24 < ecrist> Ew? 17:24 < Dougy|Work> OH 17:24 < Dougy|Work> I thought you said 17:24 < Dougy|Work> some kid's 17:24 < Dougy|Work> my bad :o 17:24 < krzee> ive got a bottle of tequila, grey goose, rum 17:25 < krzee> at the club tonight 17:25 < Dougy|Work> krzee: what kind of tequila? 17:25 < krzee> tres generationes 17:25 < krzee> its my favorite, tied with don julio 17:26 < krzee> with patron following up in 3rd place 17:32 < Dougy|Work> good man 17:32 < Dougy|Work> sorry for late reply, i'm down here in the datacenter 17:33 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:33 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has joined ##openvpn 17:33 < plaerzen> moin 17:34 < Dougy|Work> Hiya 17:37 < jeev> Dougy|Work, what datacenter 17:38 < Dougy|Work> jeev: the XO facility in secaucus, nj 17:38 < jeev> where is my free colo 17:38 < Dougy|Work> i dont even get free colo.. 17:38 < jeev> lol 17:38 < Dougy|Work> i work for a company with like 10 racks in here 17:38 < Dougy|Work> and i dont even get a fuckin discount 17:38 < jeev> oh 17:38 < jeev> sucks 17:38 < jeev> you're there all day ? 17:39 < Dougy|Work> during the summer 17:39 < Dougy|Work> ive been ere since 10 am 17:39 < jeev> damn 17:39 < jeev> you're the tech ? 17:39 < Dougy|Work> 18:39:16 17:39 < Dougy|Work> and looks like i got another hr infront of me 17:39 < jeev> damn 17:39 < jeev> i ogt a cage 17:39 < jeev> in LA 17:39 < jeev> and i'm coloing other places here 17:40 < krzee> where in LA? 17:40 < krzee> 1 wilshire 17:40 < jeev> yea 17:40 < jeev> coloed at 530 also 17:40 < jeev> and somewhere in tustin 17:40 < jeev> i havent dropped off the boxen yet 17:40 < krzee> nice 17:40 < krzee> thats a good dc 17:41 < jeev> yea 17:42 < krzee> i have fantastic routing to it too 17:43 < krzee> a lot of voip people in that DC 17:43 < jeev> yea i got mine there 17:43 < krzee> ahh you run a voip co? 17:43 < jeev> very small hosted 17:43 < krzee> nice man 17:44 < krzee> got url? 17:44 < jeev> no i just do it for little offices who ask me 17:44 < jeev> and friends 17:45 < jeev> i'm not that confident about it man 17:45 < jeev> sometimes i get dtmf errors and shit 17:45 < jeev> why, you interested in doing it ? 17:46 < krzee> ahh cool 17:46 < krzee> nah i used to be strong into voip 17:47 < krzee> resold in san diego and was 1/2 owner of a company 17:47 < krzee> still get people asking me who they should use and whatnot on occasion 17:47 < jeev> what kind of voip 17:47 < jeev> hosted pbx or sip and shit 17:47 < krzee> SIP 17:47 < krzee> although i resold hosted too 17:48 < jeev> ahh 17:48 < jeev> you use ITSP 17:48 < jeev> like internet provider 17:48 < jeev> or you had your own PRI and shit 17:48 < krzee> the one i was part owner of was just SIP, but we paid all our users per minute they used us 17:48 < krzee> we werent straight up ITSP 17:48 < krzee> no e911 and all that 17:48 < jeev> yea 17:48 < krzee> only inbound 17:48 < jeev> i dont have e911 17:48 < jeev> oh 17:48 < jeev> i have outbound 17:48 < Dougy|Work> back 17:48 < jeev> i got an office with 25 phones 17:48 < krzee> well ya but you charge people 17:48 < jeev> i set up multiwan 17:48 < krzee> not only were we free, we paid our users 17:49 < jeev> why pay 17:49 < jeev> so i was having like problems getting out of nat.. i set up iax between the asterisk box inside the office and the one at one wilshire 17:49 < krzee> lets just say, we made a ton of money that way 17:49 < jeev> it's cool but sometimes i have minor issues 17:49 < jeev> really ? 17:49 < jeev> advertising ? 17:49 < krzee> nah, access charge games 17:49 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Read error: 104 (Connection reset by peer)] 17:49 < jeev> huh?/ 17:49 < krzee> hehe 17:49 < krzee> read up on futurephone 17:50 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 17:50 < krzee> thats not us 17:50 < krzee> but they basically made our games famous 17:50 < krzee> http://www.google.com.pe/search?hl=en&q=futurephone+ATT&btnG=Search 17:50 < vpnHelper> Title: futurephone ATT - Google Search (at www.google.com.pe) 17:50 < krzee> all the free providers play the game we played 17:51 < jeev> heh 17:51 < krzee> http://ph33r.org/updates/2007/2/12/atts-free-call-bill-2-million.html 17:51 < vpnHelper> Title: AT's 'Free Call' Bill: $2 Million - ph33r dot org - an I.T. security blog by John Jolly (at ph33r.org) 17:51 < Dougy|Work> man 17:51 < Dougy|Work> i want colo 17:51 < Dougy|Work> but im not payin my boss retail to colo shit so he can make money off his own employee 17:52 < Dougy|Work> fuck him 17:52 < jeev> how much he charging you 17:53 < Dougy|Work> 70/mo for 1u and 2500 gb bw 17:53 < krzee> thats really not a bad price if its good bw 17:54 < jeev> lol 17:54 < Dougy|Work> krzee 17:54 < jeev> i'm paying 75 a month for 150gb bandwidth man 17:54 < jeev> what are you complaininga bout 17:54 < Dougy|Work> chances are ecrists home dsl is better 17:54 < jeev> who's the bandwidth by ? 17:54 < jeev> oh 17:54 < krzee> i wouldnt pay it, but its good 17:54 < Dougy|Work> jeev: level3, tiscali, sprint, above.net, and a couple others i dont remember 17:54 < Dougy|Work> XO 17:54 < Dougy|Work> and a few others 17:54 < krzee> i garuntee its better than my BW 17:54 < krzee> lol 17:54 < Dougy|Work> poooorly routed. 17:54 < jeev> so what's so bad about it 17:54 < jeev> oh 17:54 < krzee> my home bw that is 17:54 < Dougy|Work> jeev: let me break out traceroutes 17:54 < jeev> my 75/m for 150gb is level3 17:54 < jeev> my one wilshire is a lot of carriers 17:54 < krzee> i dont even like L3 anymore 17:55 < jeev> well, i need back up MX's and asterisk boxes 17:55 < Dougy|Work> jeev: http://rafb.net/p/X7AHyM21.html 17:55 < vpnHelper> Title: Nopaste - No description (at rafb.net) 17:55 < krzee> hell ill take cogent over L3 sometimes now 17:55 < jeev> heh 17:56 < jeev> where is the traceroute from 17:56 < Dougy|Work> all over 17:56 < Dougy|Work> the 38.x is from jacksonville, fla on all cogent 17:56 < krzee> 10 38 ms 38 ms 41 ms core-02-teb1.us.njiix.net [64.20.32.218] 17:56 < krzee> 11 161 ms 201 ms 205 ms 64.18.144.145 17:56 < krzee> OUCH 17:56 < Dougy|Work> krzee: case and point 17:57 < Dougy|Work> my boss fucked it up about two weeks ago 17:57 < Dougy|Work> and then went away on vacation 17:57 < jeev> 12 WBS-CONNECT.car3.NewYork1.Level3.net (4.71.172.166) 81.768 ms 81.982 ms 81.301 ms 17:57 < jeev> 13 core-02-teb1.us.njiix.net (64.20.32.218) 84.753 ms 98.754 ms 84.271 ms 17:57 < jeev> 14 *^C 17:57 < Dougy|Work> nice isnt it 17:58 < jeev> my routing to my shit here owns 17:58 < Dougy|Work> our routing is usually good here oto.. 17:58 < Dougy|Work> too^ 17:58 < Dougy|Work> now not so much 17:58 < jeev> 8 hops though 17:58 < jeev> for 15ms 17:58 < jeev> my one wilshire is 9ms 17:58 < jeev> but 10 hops 17:58 < jeev> heh 17:59 < Dougy|Work> man 17:59 < Dougy|Work> i dont WANNA be here another hour 17:59 < jeev> so i have 3 new servers up 17:59 < Dougy|Work> ugh 17:59 < jeev> i have nothing to do with them 17:59 < jeev> i've got to figure 17:59 < Dougy|Work> hmmm 17:59 < jeev> i'll set up asterisk on all 3 17:59 < krzee> i get to your first internal router in 9 hops from san diego 17:59 < jeev> and back up MX 17:59 < Dougy|Work> i have two old xeon socket 771's here 17:59 < Dougy|Work> a nice asus mobo 17:59 < krzee> 9 core-02-teb1.us.njiix.net (64.20.32.218) 70.606 ms 70.072 ms 69.327 ms 17:59 < Dougy|Work> thats still $200 17:59 < Dougy|Work> and 2 fans 17:59 < Dougy|Work> mmmmmmmmmm 17:59 < jeev> these servers are opteron 246's 17:59 < jeev> 2 in each 17:59 < jeev> i want opteron 270's, dual 2.0's and 2 of them 17:59 * Dougy|Work has gas 17:59 < Dougy|Work> >< 17:59 < jeev> but i dont want to blow that money 17:59 < jeev> actually 18:00 < jeev> to upgrade 2 of these servers 18:00 < jeev> i can spend 214 bux or something 18:00 < jeev> i'll have 4 dual core 2.0's 18:00 < jeev> 2 in each box 18:00 < jeev> compared to now, 4 single cores 18:00 < Dougy|Work> i'm an intel fanboy 18:00 < jeev> yea, i like intel too but i got a great deal on these boxen 18:00 < krzee> jeev, got ip i can trace to in 1 whilshire? 18:00 < Dougy|Work> 1 wilshire is real nice 18:00 < Dougy|Work> real real nice 18:00 < krzee> yup 18:01 < krzee> <3 carrier hotels 18:01 < krzee> 56 murrietta is also nice 18:01 < Dougy|Work> yeah 18:01 < Dougy|Work> that also is nice 18:01 < jeev> traceroute uscolo.com 18:01 < krzee> and 60 hudson in NY is great if you do voip 18:01 < Dougy|Work> ewwwwww 18:01 < Dougy|Work> njiix -> tiscali -> sprint 18:01 < Dougy|Work> in the first 8 hops 18:01 < Dougy|Work> @ jeev 18:02 < krzee> 11 204.9.207.30.uscolo.com (204.9.207.30) 5.852 ms 6.327 ms 7.059 ms 18:02 < krzee> heheh 18:02 < Dougy|Work> http://rafb.net/p/fLkCEE67.html 18:02 < vpnHelper> Title: Nopaste - Traceroute to UScolo.com (at rafb.net) 18:03 < jeev> justedge is wack man 18:03 < jeev> i wouldn't have a server anywhere near them 18:03 < jeev> Dougy|Work, i got 2 servers @ lomag.net 18:03 < jeev> traceroute them 18:03 < Dougy|Work> dude 18:03 < Dougy|Work> Ruby is nuts 18:03 < Dougy|Work> jeev: i dont even know what to say. 18:03 < Dougy|Work> i really don't. 18:03 < Dougy|Work> let me put it this way 18:03 < Dougy|Work> all my servers here aren't here anymore ;] 18:03 < jeev> heh 18:03 < Dougy|Work> Whoa. 18:04 < Dougy|Work> Ruby is WHACK. 18:04 < jeev> traceroute lomag.net frmo there 18:04 < Dougy|Work> 8 hops, jeev 18:04 < Dougy|Work> http://rafb.net/p/rZCt5g68.html 18:04 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:04 < jeev> 1 gige0-1.core1.nyc.lomag.net (208.185.81.1) 3.855 ms 3.490 ms 3.994 ms 18:04 < jeev> 2 282.ge-1-3-2.mpr1.lga5.us.above.net (64.124.170.26) 3.993 ms 4.774 ms 3.998 ms 18:04 < jeev> 3 64.124.44.213.interserver.com (64.124.44.213) 3.995 ms 3.791 ms 3.997 ms 18:04 < jeev> 4 core-02-teb1.us.njiix.net (64.20.32.218) 4.998 ms 4.796 ms 4.999 ms 18:05 < jeev> then * * ** 18:05 < Dougy|Work> ... 18:05 < Dougy|Work> um.. 18:05 < Dougy|Work> the hell.. 18:05 < Dougy|Work> you know what. screw it. not my problem. 18:05 < jeev> lol 18:05 < jeev> what does your work do 18:05 < Dougy|Work> What do you mean 18:05 < jeev> you guys host 18:05 < Dougy|Work> i get my $8.15/hour to be the noc monkey 18:05 < jeev> damn 18:05 < jeev> how old iz you! 18:06 < Dougy|Work> Fifteen 18:06 < jeev> oh 18:06 < jeev> ok 18:06 < jeev> not bad i guess 18:06 < plaerzen> working in noc at 15, not bad 18:06 < jeev> at 16 i was making 20k/month 18:06 < krzee> better than not bad! 18:06 < Dougy|Work> Bull shit 18:06 < Dougy|Work> Sorry 18:06 < jeev> and i was a noc monkey actually 18:06 < jeev> i had free bandwidth 18:06 < jeev> at a datacenter 18:06 < jeev> cause i did their routers 18:06 < Dougy|Work> Oh 18:06 < jeev> so i sold game servers 18:06 < jeev> lol 18:06 < Dougy|Work> Nice 18:06 < jeev> at 0 cost 18:06 < Dougy|Work> haha 18:06 < jeev> i was one of the first 18:06 < jeev> lol 18:06 < Dougy|Work> jeev 18:06 < krzee> i was making good $ too, but it was all illegal, lol 18:06 < Dougy|Work> Join the openvpn forum 18:06 < Dougy|Work> www.ovpnforum.com 18:06 < Dougy|Work> >> 18:06 < Dougy|Work> haha 18:06 < jeev> lol krzee 18:07 < jeev> mine was too pretty much 18:07 < jeev> at 19, i had gold amex 18:07 < jeev> they forced me to cancel it 18:07 < jeev> i was spending 30k/month and paying off within days 18:07 < jeev> and they got mad 18:07 < Dougy|Work> you know 18:07 < jeev> wanted financials 18:07 < jeev> and boom 18:07 < Dougy|Work> it would help 18:07 < Dougy|Work> if my fucking server was pu 18:07 < Dougy|Work> up 18:07 < jeev> lol 18:08 < Dougy|Work> wtf 18:08 < Dougy|Work> named is borked 18:08 < jeev> who still uses named? 18:08 < jeev> use djbdns like a man 18:08 < krzee> umm 18:08 < krzee> me 18:08 < jeev> LIKE A MAN 18:08 < krzee> hehe another qmail guy i take it 18:08 < Dougy|Work> jeev: directadmin comes with named 18:08 < jeev> no 18:08 < jeev> i used to love qmail 18:08 < jeev> till it pissed me off 18:08 < krzee> i still do 18:08 < Dougy|Work> Dovecot 18:08 < jeev> so now i run postfix 18:08 < krzee> hehe 18:09 < jeev> takes me SO long to configure 18:09 < Dougy|Work> Postfix is good to 18:09 < jeev> but postfix > qmail 18:09 < jeev> i have to install on 2 servers 18:09 < jeev> and document it 18:09 < Dougy|Work> -bash-3.2# uptime 18:09 < Dougy|Work> 04:09:13 up 5:50, 1 user, load average: 3.12, 1.95, 1.17 18:09 < jeev> my install took 1 month to perfect 18:09 < Dougy|Work> considering there's one site on there that has 4 members 18:09 < Dougy|Work> that's not good 18:09 < Dougy|Work> hmm 18:09 < Dougy|Work> I think iptables done it 18:09 < Dougy|Work> damn iptables 18:10 < Dougy|Work> www.ovpnforum.com 18:10 < Dougy|Work> load jeev? 18:10 < Dougy|Work> its sluggish cuz of the load 18:10 < Dougy|Work> but does it load 18:10 -!- mode/##openvpn [+o jeev] by ChanServ 18:10 <@jeev> cool 18:10 <@jeev> yes load 18:10 <@jeev> i will host it for you if you'd like. 18:10 <@jeev> thanks krzee 18:10 < krzee> haha 18:11 < Dougy|Work> this is pathetic 18:11 < Dougy|Work> Im gonna call up Greg Landis and complain like nobody ever has before 18:11 -!- jeev_ [i=jeev@unaffiliated/jeev] has joined ##openvpn 18:11 < jeev_> FreeBSD shell2.lomag.net 4.7-STABLE FreeBSD 4.7-STABLE #1: Sat Jan 18 15:29:54 EST 2003 root@shell2.lomag.net:/usr/obj/usr/src/sys/SHELL2 i386 18:11 < jeev_> 7:11PM up 2047 days, 6:06, 2 users, load averages: 0.05, 0.17, 0.23 18:11 -!- jeev_ [i=jeev@unaffiliated/jeev] has quit [Client Quit] 18:11 < Dougy|Work> Ewwwwwwwwwwwwwwwwwwwwwwww 18:11 < Dougy|Work> wow 18:11 < Dougy|Work> i lied 18:11 < Dougy|Work> that's some friggin sick uptime 18:11 <@jeev> who is greg landis 18:11 -!- mode/##openvpn [-o jeev] by ChanServ 18:11 < Dougy|Work> owner of jaguarpc/wowvps 18:11 < Dougy|Work> etc 18:12 < jeev> :/ 18:12 < jeev> playing with me krzee? 18:12 < Dougy|Work> very rich guy 18:12 < Dougy|Work> think he could give decent service 18:13 < Dougy|Work> okay 18:13 < Dougy|Work> site should be fast now, right jeev? 18:13 < jeev> it's decent 18:13 < Dougy|Work> faster* 18:13 < Dougy|Work> well, it's as fast as GNAX is going to let it be 18:13 < Dougy|Work> <@Fatal_Work> *exec @self[:users] 18:13 < Dougy|Work> <~Purgatory> fenris-wolf#yoda|away#zach#mckooter#hostserv#chanserv#fatal_work#lincid#viperskingdom#punzada#arcanusnumquam#allxtremenet#liquid-wolf#operserv#[-x-]#helpserv#< 18:13 < Dougy|Work> <@Fatal_Work> *exec @self[:users][:arcanusnumquam].level 18:13 < Dougy|Work> <~Purgatory> /home/fatal/mud_irc/src/classes.rb:120:in `evaluate'/home/fatal/mud_irc/src/classes.rb:120:in `evaluate'undefined method `level' for nil:NilClass 18:13 < Dougy|Work> Dude. Ruby is insane. 18:14 < jeev> heh 18:16 < Dougy|Work> yeah see its real fast now 18:16 < Dougy|Work> (The site) 18:16 < Dougy|Work> :) 18:17 < Dougy|Work> I just gotta get a logo made 18:17 < Dougy|Work> :( 18:22 < Dougy|Work> jeev: where'd you go 18:23 < jeev> was shaving 18:23 < jeev> lol 18:23 < Dougy|Work> fun stuff 18:23 < Dougy|Work> All my designers are on vacation :< 18:24 < jeev> heh 18:24 < jeev> i should make a tutorial 18:24 < jeev> since i hate rpm's 18:24 < Dougy|Work> I was going to do it later, but feel free 18:24 < Dougy|Work> http://bellardia.com/testforum/ 18:24 < Dougy|Work> What about that skin? 18:25 < Dougy|Work> HAHA. 18:25 < jeev> heh 18:25 < jeev> dunno 18:25 < jeev> brb 18:25 < Dougy|Work> hm 18:25 < Dougy|Work> who else is awake? 18:25 < Dougy|Work> are you still here krzee? 18:26 * plaerzen is awake. although /me is leaving work soon. 18:26 < Dougy|Work> plaerzen: http://www.upload3r.com/serve/270808/1219879594.jpg 18:26 < Dougy|Work> What do you think of that skin 18:26 < plaerzen> sfw ? 18:26 < Dougy|Work> except for the lack of english 18:26 < Dougy|Work> yes 18:26 < Dougy|Work> it's a vB skin 18:28 * plaerzen ponders. 18:28 < Dougy|Work> Hm? 18:28 < plaerzen> I like it, but I am no graphic designer. Let me grab our graphic designer and see what he thinks 18:28 < Dougy|Work> lol 18:28 < Dougy|Work> Meh. 18:32 < plaerzen> he says 7/10. As long as the contrast on the moniter is set properly it looks fine. However the contrast between the posting frames and the background might look a little too mellow to be easily distinguished 18:32 < plaerzen> so perhaps make it a shade or two darker in the grey areas 18:32 < krzee> im here 18:32 < krzee> im in and out 18:32 < plaerzen> except for the top bar, that looks fine. 18:32 < Dougy|Work> krzee: same question as i asked plaerzen 18:32 < plaerzen> I'm talking the main viewing area 18:34 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 18:34 < plaerzen> cool? Because I'm heading out. 18:35 < Dougy|Work> images are borked 18:35 -!- Netsplit over, joins: kala 18:39 < ByPasS> is the fartboy taishi been around ? :) 18:40 < ByPasS> lately should I add 18:40 < Dougy|Work> hmm 18:40 < Dougy|Work> plaerzen: still here? 18:40 < Dougy|Work> krzee: ping 18:41 < ByPasS> doug : may i ask how u handle all that work and still be under direction of ur parents ? 18:41 < Dougy|Work> ByPasS: what do you mean? 18:41 < ByPasS> u said they wont allow u laptop + desktop 18:42 < ByPasS> hence u are into multiple projects 18:42 < Dougy|Work> i do it whenever i can 18:42 < ByPasS> for comps and friends 18:42 < Dougy|Work> ill go online on my psp 18:42 < Dougy|Work> or i'll "go out for the night" and come down to the DC for a few hours 18:42 < ByPasS> i had that problem 18:42 < ByPasS> i left home at 16 18:43 < Dougy|Work> I'll be here when I'm 16 18:43 < Dougy|Work> well 18:43 < Dougy|Work> at hoem 18:43 < Dougy|Work> home^ 18:43 < Dougy|Work> ByPasS: http://www.ovpnforum.com/?styleid=2 18:43 < Dougy|Work> How's that look 18:43 < Dougy|Work> er 18:43 < Dougy|Work> https://www.ovpnforum.com/?styleid=2 18:43 < ByPasS> instead of trash icon it looks good 18:43 < ByPasS> ur the one that proposed it earlier right the domain 18:44 < ByPasS> as an help of course 18:44 < Dougy|Work> well im egtting opinions 18:44 < Dougy|Work> getting^ 18:44 < Dougy|Work> Shit, got a reboot page to my cell 18:44 < Dougy|Work> brb going downstairs 18:45 < ByPasS> kk as i said beside the icons (prolly default) as trash cans its good 18:45 < ByPasS> clean imo and thats what i care the more clean it is the easier it is to get to the information 18:47 < ByPasS> i just dont like the icons on empty non empty subjects 18:47 < ByPasS> forums arent ment for non good info :) 18:47 < Dougy|Work> back 18:48 < ByPasS> anyway i think u said it was vb right ? 18:49 < Dougy|Work> It's vB, yes 18:49 < ByPasS> im semi clueless but a new icon set theme would save the apperance 18:50 < Dougy|Work> yeah 18:50 < ByPasS> im sure bc has themes 18:50 < Dougy|Work> no need even for a logo 18:50 < ByPasS> no they wont ask that here 18:50 < ByPasS> just not trash cans 18:51 < ByPasS> as they said they will really like it unless they have to care too much as dev 18:51 < Dougy|Work> Going hom 18:51 < Dougy|Work> e 18:51 < Dougy|Work> bbl 18:51 < ByPasS> k 18:52 < ByPasS> its so funny u might be gone but i have 5 box running here ok its my home but :) freebsd linux and winblows :P 18:55 < ByPasS> i got some questions from a friend and im clueless well i dont wanna fuck the setup 18:55 < ByPasS> if any1 tried :) 18:55 < ByPasS> he is redirecting gateway def1 in routed mode 18:56 < ByPasS> its maybe an iptables question but maybe some1 dealt with it 18:56 < ByPasS> can u port forward from the openserver real ip to tun0 ? 18:57 < ByPasS> iptables crap but im just wondering if any1 tried or did 18:57 < ByPasS> port forward from public ip server - specific client 19:01 < ByPasS> thats why i asked for taishi he would have farted atleast with no answer at worst ;) 19:02 < krzee> sorry i came in late 19:02 < krzee> whats the problem? 19:03 < krzee> you just wanna direct traffic over the vpn for the inet? 19:03 < ByPasS> opposite 19:03 < ByPasS> i was asked if it was possible 19:04 < krzee> umm 19:04 < krzee> opposite how? 19:04 < ByPasS> to use inet ip from openvpon server to redirect inside the von to the client well a speciofiv cleint 19:04 < ByPasS> err stupid kb 19:04 < krzee> oh im sure you can 19:04 < krzee> thats all IP layer, so ya 19:05 < ByPasS> i dont know what he wants put i assume 19:05 < ByPasS> he wants port 2222 to be port forwarded from openvpn server to the tun0 and to a specific machine 19:06 < ByPasS> client machien 19:06 < ByPasS> he knows the ip as clients are hardcoded 19:06 < krzee> well ya 19:06 < krzee> as long as the gateway router knows about the route to the vpn 19:07 < krzee> then sure 19:07 < ByPasS> i tested his thing 19:07 < ByPasS> from a winblows but well 19:07 < ByPasS> everything is redirected in vpn 19:07 < ByPasS> so thats all good 19:07 < krzee> ie: if the lan is 192.168.x.x and vpn is 10.8.x.x, if the gateway which port forwards doesnt know how to route traffic to 10.8.x.x then it cant forward to it 19:07 < krzee> otherwise, sure 19:08 < ByPasS> i think he is doing real ip eth0 ftom coloc 19:08 < ByPasS> from 19:08 < ByPasS> and 10.x 19:08 < krzee> i dunno iptables, but it can be done 19:08 < ByPasS> openvpn 19:08 < ByPasS> kk 19:09 < ByPasS> yea i figured it was not really vpn oriented 19:09 < ByPasS> ovpn 19:09 < krzee> correct 19:10 < ByPasS> i think he is trying to bypass :) some isp rule 19:10 < ByPasS> aka no inc 80 19:10 -!- daemon [n=daemon@mail.daemoncore.org] has quit ["ZNC - http://znc.sourceforge.net"] 19:11 < ByPasS> and by redirect his gateway he thought he was good 19:11 < ByPasS> yet u need to port forward 19:12 < ByPasS> and nat ! ahhh :) i should charge him 19:14 < ByPasS> redirect-gateway def1 = port forward XYZ in his head bah 19:15 < jeev> redirect-gateway > * 19:15 < ByPasS> well it works as i did the setup 19:15 < ByPasS> now he wants port X from vpnserver to forward into the vpn 19:16 < ByPasS> dif story 19:17 < ByPasS> i know its not purely openvpn related 19:18 < ByPasS> ive done all but that barely 19:19 < ByPasS> gateway is vpn all good 19:19 < ByPasS> now he wants port X to work thru ish 19:19 < ByPasS> its a lil farther than my knowledge 19:19 < ByPasS> iptables chan suck 19:20 < ByPasS> (5:58:52 PM) jmoncayo: will a default drop policy help if a windows computer is infected with virus? 19:20 < ByPasS> last msg in chan 19:20 < ByPasS> im not that stupid 19:20 -!- mode/##openvpn [+o ByPasS] by ChanServ 19:22 < krzee> lol 19:22 -!- mode/##openvpn [-o ByPasS] by ChanServ 19:22 < ByPasS> lol 19:22 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 19:22 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: tcccp 19:23 < krzee> !notopenvpn 19:23 < vpnHelper> krzee: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 19:23 < jeev> lol 19:23 < krzee> all you really want is to know howto port forward in linux 19:23 < ByPasS> krzee : ive helped here and yet i helped cservice xy 19:23 < krzee> cservice xy ==? 19:24 < ByPasS> undernet crap 19:24 < ByPasS> bot systems 19:25 < ByPasS> chanserv = X , Y botsystem on undernet 19:26 -!- Netsplit over, joins: kala 19:30 < ByPasS> krzee : fine to order he gets zilllions of packet reply 19:31 < ByPasS> err replay 19:34 < ByPasS> now im wondering if he is dsl and mtu1492 19:34 < ByPasS> and server is 1500 eth0 19:36 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 19:39 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 19:42 -!- Netsplit over, joins: kala 19:47 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 19:48 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has left ##openvpn [] 19:50 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Broken pipe] 19:55 -!- Netsplit over, joins: kala 20:05 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 20:09 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 20:09 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala 20:10 -!- Netsplit over, joins: kala 20:13 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has joined ##openvpn 20:35 < krzee> s/lte/let/ 20:35 < krzee> oops 20:41 < ByPasS> :) 21:08 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:08 < Dougy> yooo 21:11 * Dougy waves 21:12 * jeev farted 21:12 < Dougy> me too =p 21:12 < Dougy> sup 21:18 * Dougy shanks jeev 21:19 < jeev> loll 21:19 < jeev> lol 21:19 < Dougy> ? 21:19 < Dougy> wha? 21:20 < jeev> watching dnc 21:20 < jeev> i dunno if this a rerun 21:20 < jeev> brb 21:23 < Dougy> k 21:24 < Dougy> !learn forum test 21:24 < vpnHelper> Dougy: Invalid arguments for learn. 21:24 < Dougy> !learn !forum test 21:24 < vpnHelper> Dougy: Invalid arguments for learn. 21:24 < Dougy> !help learn 21:24 < vpnHelper> Dougy: (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 21:24 < Dougy> !learn forum as test 21:24 < vpnHelper> Dougy: The operation succeeded. 21:24 < Dougy> !learn 21:24 < vpnHelper> Dougy: Invalid arguments for learn. 21:24 < Dougy> !forum 21:24 < vpnHelper> Dougy: "forum" is test 21:24 < Dougy> !route 21:24 < vpnHelper> Dougy: "route" is https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:24 < Dougy> !forget forum 21:24 < vpnHelper> Dougy: The operation succeeded. 21:25 < Dougy> !learn forum as The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:25 < vpnHelper> Dougy: The operation succeeded. 21:25 < Dougy> !forum 21:25 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:25 -!- Alives [n=Alives@cpe-72-225-212-185.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 21:25 < Dougy> COOOOOOOL 21:25 < Dougy> :D 21:25 < Dougy> !menu 21:25 < vpnHelper> Dougy: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < Dougy> !forget menu 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !learn menu as !forum, !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !menu 21:26 < vpnHelper> Dougy: "menu" is !forum, !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < Dougy> works for me 21:26 < Dougy> hmm do i do that, or do i do it at the end. 21:26 < Dougy> I think the end is better. 21:26 < Dougy> !forget menu 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> CRAP 21:26 < Dougy> !forget menu 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> !learn menu as !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 21:26 < vpnHelper> Dougy: The operation succeeded. 21:26 < Dougy> There. 21:27 < Dougy> :) 21:31 * Dougy grnis,. 21:31 < Dougy> whoa. 21:31 * Dougy grins. 21:32 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has joined ##openvpn 21:32 < Dougy> hey j_nwb 21:33 < Dougy> How are you 21:35 < j_nwb> Dougy: doing good thanks. 21:37 < Dougy> Cool stuff 21:37 < Dougy> :) 21:37 < Dougy> !notopenvpn 21:37 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 21:39 < j_nwb> I am getting : UDPv4 link local: [undef] in the messages file and then TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 21:40 < j_nwb> Any idea on how to go about debugging this ? 21:41 < Dougy> Er. 21:41 < Dougy> What OS is the server and what OS is the client? 21:41 < j_nwb> both fedora 21:41 < jeev> Dougy 21:41 < jeev> !notopenvpn 21:41 < vpnHelper> jeev: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 21:41 < Dougy> jeev 21:41 < jeev> READ THAT! 21:41 < Dougy> jeev: why? 21:42 < jeev> chicken thigh 21:42 < Dougy> :s 21:42 < Dougy> !kick jeev SHHH. 21:42 < vpnHelper> Dougy: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 21:42 < Dougy> PFFT. Lame. 21:42 < jeev> !kick Dougy take a shower! 21:42 < vpnHelper> jeev: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 21:42 < Dougy> fail 21:42 < Dougy> okay 21:42 < jeev> brb 21:42 < Dougy> back on topic now 21:42 * Dougy kicks jeev 21:43 < Dougy> j_nwb: is there such things as a firewall on the clientside? 21:44 < j_nwb> no.. iptables is stopped on the client. 21:45 < Dougy> the !notopenvpn applies here to an extent 21:45 < Dougy> give me a sec 21:45 < Dougy> Can you pastebin the client side log? 21:45 < Dougy> http://rafb.net/paste 21:45 < j_nwb> There is no tap device getting created on the machine. 21:45 < j_nwb> sure. 21:46 < Dougy> Are you running it as root? 21:46 < Dougy> !whoami 21:46 < vpnHelper> Dougy: I don't recognize you. 21:46 < Dougy> You suck 21:51 < j_nwb> http://rafb.net/p/dc8FhC10.html 21:51 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:52 < Dougy> sec 21:52 < Dougy> old version of openvpn 21:52 < Dougy> o.O 21:53 < Dougy> and old version of fedora 21:53 < Dougy> but that shouldn't necessarily matter 21:53 * Dougy thinks 21:54 < Dougy> i'm really useless at all of this man 21:54 * Dougy should give up 21:54 < j_nwb> yes 21:54 < Dougy> thanks 21:54 < Dougy> good luck figuring it out then 21:54 * Dougy vanishes 21:54 < j_nwb> thanks.. :) 21:55 < Dougy> well man 21:55 < Dougy> you weren't exactly nice about it 21:55 < rmull_> j_nwb: Are the system clocks on both machines synced? 21:55 < j_nwb> probably not. 21:55 < rmull_> Sync them and try again. 21:55 < Dougy> sup rmull_ 21:55 < rmull_> sup Dougy 21:55 < Dougy> just got home about 30 mins ago 21:55 < rmull_> Saw you getting abused so I came to assist 21:56 < Dougy> thanks 21:56 < rmull_> Also saw vpnHelper getting abused <_< 21:56 < Dougy> i was thinking time and was getting ready to say it 21:56 < Dougy> but then i was insulted 21:56 < Dougy> so 21:56 < Dougy> to hell with that 21:57 < Dougy> !forum 21:57 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:57 * Dougy chuckles 21:58 < rmull_> 5 members 21:58 < rmull_> Still one post though :P 21:58 < Dougy> rmull_: new skin too 21:58 < Dougy> didja see it? 21:58 < rmull_> Looks good mang 21:58 < Dougy> nod 21:58 < Dougy> :] 21:58 < rmull_> Probably'd look even better if I was running that one KDE skin 21:58 < Dougy> no need for a logo either 21:58 < Dougy> ewwwwwwwwwwwwwww 21:58 < Dougy> KD 21:59 < Dougy> KDE = fal 21:59 < Dougy> fail^ 21:59 < rmull_> They have a skin that looks exactly like this is what I'm saying 21:59 < Dougy> i'm full of fail tonight, aren't i 21:59 < Dougy> >> 21:59 < rmull_> I use dwm 21:59 < Dougy> gnome here 21:59 < Dougy> sometimes fluxbox depending what the pc specs are 21:59 < rmull_> I used to use Flux back in the day (last year) 22:00 < Dougy> lmfao 22:00 < rmull_> I've only technically been using Linux for .. this is my third year. 22:00 < Dougy> I've been on it longer than you 22:00 < Dougy> o>O 22:00 < Dougy> o.O* 22:00 < Dougy> I had my first shell at 9 22:00 < Dougy> no joke 22:00 < rmull_> Damn son 22:00 < Dougy> I already had no life at that point 22:00 < rmull_> :bow: 22:00 < Dougy> mind you it was only for IRC purposes 22:01 < Dougy> but it was still my first shell 22:01 < Dougy> :p 22:01 < rmull_> I didn't use a computer until I was in 8th grade 22:01 < Dougy> lmfao 22:01 < Dougy> i got my first one before i started preschool 22:01 < Dougy> no lie 22:01 < rmull_> Woah. 22:01 < Dougy> i remember it well 22:01 < rmull_> Must have had compute-y parents. 22:01 < Dougy> not even close 22:01 < rmull_> werd 22:01 < Dougy> my dad doesnt know how to turnh is on 22:01 < Dougy> turn his 22:01 < Dougy> my mom is semi-literate 22:02 < Dougy> They got me one back then with Windows 3.1 and an app called child's play 22:02 < Dougy> that app was the shiz 22:02 < Dougy> it was like photoshop for babies 22:04 < rmull_> I wonder where j_nwb 's gone 22:04 < Dougy> Who cares 22:04 < Dougy> He's evil 22:05 < rmull_> Don't be bitter :P 22:05 < rmull_> I want to know if his problem got fixed, that's all 22:05 < rmull_> Lol 22:07 < Dougy> LOL rmull_ 22:07 < j_nwb> sorry guys.. I did not mean to offend anyone. 22:07 < Dougy> you know i'm 15 right 22:07 < rmull_> j_nwb: No sweat 22:07 < rmull_> Dougy: Yeah, I think you mentioned it 22:08 < j_nwb> rmull_, I syncd up the clock.. no luck. 22:08 < Dougy> Okay. so my friend who's also my age has a step sistser my age. there's a photo of his step sister in a maid outfit floating around facebook 22:08 < rmull_> :( 22:08 < Dougy> hahaha 22:08 < rmull_> You love facebook :P 22:08 < Dougy> everyones talking about it and hes like "wtf is this" 22:08 < Dougy> http://img83.imageshack.us/img83/7117/screenshot2vj3.png 22:08 < Dougy> read the facebook chat 22:08 < Dougy> hahah 22:08 * Dougy loves how desperate peopl are 22:09 < Dougy> people^ 22:09 < rmull_> You wouldn't react the same way? 22:09 < Dougy> what do you mean 22:10 < Dougy> i would be pissed 22:10 < rmull_> Wait 22:10 < Dougy> thats my friend saying "LINK" 22:10 < rmull_> I think I misunderstood the situation 22:10 < rmull_> Lol 22:10 < Dougy> not the guy who's stepsister is 22:10 < Dougy> probably 22:10 * rmull_ goes back to writing documentation like a good peon 22:10 < Dougy> lmfao 22:10 < Dougy> docs for what 22:10 < Dougy> tutorial for the 22:10 < Dougy> !forum 22:10 < Dougy> ?? 22:10 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:10 < Dougy> hahahaha 22:10 * Dougy is a bastard 22:10 < rmull_> So I worked for a windows shop this summer 22:11 < rmull_> Everything I did was Linux-based 22:11 < Dougy> lol 22:11 < rmull_> So they need to know how to work it if it breaks 22:11 < rmull_> Which it won't. 22:11 < rmull_> :P 22:11 < Dougy> righto 22:11 < Dougy> Im sleepy 22:11 < Dougy> bed soon 22:11 < Dougy> its 11:11 22:11 < Dougy> makeawish 22:12 < rmull_> I missed it 22:12 < rmull_> Maybe tomorrow night. 22:14 < Dougy> lol 22:14 < Dougy> actuall i guess 11:11 AM is better 22:14 < Dougy> since its technically (was) 23:1 22:14 < Dougy> 1 22:14 < rmull_> True 22:28 < Dougy> rmull_: 22:28 < Dougy> how good are you with windows 22:28 < Dougy> http://www.screen-shot.net/ss/73259552139391154767.png <-- my friend is gettign that 22:29 < Dougy> hm sec 22:31 < Dougy> fixd 22:31 < Dougy> gtg 22:31 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 22:35 < j_nwb> hi.. I removed the tls-auth key from both server and client configs.... it still gives... TLS error... is that normal ? 22:36 < j_nwb> do I need to create tap interface on the client separately.. or openvpn would start it when I connect/start the service. 22:38 < j_nwb> Can I somehow check if the client is able to connect to the server at the given udp port ? 23:13 -!- j_nwb [n=j_nwb@c-98-210-141-122.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu Aug 28 2008 00:36 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 00:39 < jeffspeff> if i have say 7 systems in one office, connecting with one public ip to an openvpn server in a remote office; do i have to set seperate ip addresses or anything, or will it all work even though there are multiple vpn clients behind a single public ip? 04:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:02 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 05:02 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 05:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 06:53 -!- ByPasS [n=bypass@modemcable076.69-21-96.mc.videotron.ca] has quit ["Leaving."] 07:21 -!- ByPasS [n=bypass@taki.secured.org] has joined ##openvpn 07:31 -!- ByPasS [n=bypass@taki.secured.org] has left ##openvpn [] 07:35 -!- ByPasS [n=bypass@taki.secured.org] has joined ##openvpn 07:57 < ecrist> jeffspeff2: it'll work fine as they'll all be coming from different source ports. 07:57 < ecrist> it's not an ideal setup, but it will work. 07:58 < ecrist> ideally, for a LAN as you describe, you'd setup a VPN router so that all local clients connect through a single VPN client. 09:27 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 110 (Connection timed out)] 09:30 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 09:32 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 09:33 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 10:08 < plaerzen> morning 10:08 < ecrist> howdy 10:10 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 10:14 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 10:14 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 10:19 -!- u12u [n=will@undertakingyou.dsl.xmission.com] has quit [Read error: 110 (Connection timed out)] 11:13 -!- steve [i=steve@bouncer.stephen.marsh.name] has quit ["disconnecting from stoned server."] 11:14 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust43.midd.cable.ntl.com] has joined ##openvpn 11:15 < weatherhead> hi, I'm trying to set up a bridged VPN. The client seems able to connect (I get initialisation sequence complete messages at both ends), but is unable to ping anything on the LAN side. He also doesn't seem to have a tap0 device. 11:26 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 11:29 < Dougy> hi 11:45 < jeev> Dougy, go to work 11:47 < Dougy> jeev: no 11:47 < Dougy> i'm off today 11:48 < Dougy> anyway 11:48 < Dougy> back outside to mow the lawn 11:48 < Dougy> bbl 11:49 < jeffspeff2> if i have say 7 systems in one office, connecting with one public ip to an openvpn server in a remote office; do i have to set seperate ip addresses or anything, or will it all work even though there are multiple vpn clients behind a single public ip? 11:49 < jeffspeff2> (i meant seperate ports, not ip addresses) 11:56 < plaerzen> you don't need multiple vpn clients. just set up a server with one vpn client connecting with a permanent tunnel to the other vpn server in a remote office. 11:56 < plaerzen> that would be my reccomendation 11:58 < jeffspeff2> how would one vpn server in each office connect all the different computers? 11:59 < plaerzen> as long as they are on the same subnet, nat should work. 11:59 < jeffspeff2> i need all the computers in the office to have a vpn ip to the server 12:00 < cpm> doesn't need nat, the lans are the same lan, linked by a vpn tunnel, rather than a point to point wan link. IT's the same lan. 12:00 < plaerzen> ya, that's what I meant 12:01 < jeffspeff2> ok, so set up an openvpn server in the office, and config it to tunnel all the other ip's of that office to the remote server? 12:02 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:02 < cpm> think of the 'openvpn server in the office' and the 'remote servers' as peers 12:02 < cpm> rather than servers. 12:03 < cpm> and yes, configured as a bridge, they act as a flat lan. 12:06 < jeffspeff2> sorry, but can you dumb it down just a little bit more for me? lol... Office 1 has lan ips of 192.100.123.0; Office 2 has 192.168.11.0 network. i need to be able to rdp and snmp Office 1 systems from a few systems on the Office 2 network. 12:06 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 12:09 < plaerzen> CPM can explain it better than me :P I'm still a relative vpn neophyte. 12:09 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 12:10 < cpm> jeffspeff2, both offices should have the same subnet, connected by the vpn. why are they numbered differently?> 12:10 < cpm> ? 12:11 < jeffspeff2> those are the individual lan networks. the vpn net that i'm working on getting up is 192.168.50.0 12:11 < cpm> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 12:11 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 12:11 < cpm> jeffspeff2, again, why? 12:11 < cpm> you want them to be the same lan, yes? 12:12 < Dougy> back 12:13 < jeffspeff2> yes, but the 192.100.123.0 net was already existing and they have alot of things already setup on that network (active directory, patient data database server, phone system, etc.) that i don't want to mess with... i just need to link the workstations 12:15 < cpm> jeffspeff2, okay, so you number the 'other lan' as if it's the same lan,and bridge it, as per the example in the url I provided. 12:17 < cpm> http://openvpn.net/index.php/documentation/faq.html#bridge1\ 12:17 < jeffspeff2> ok, but say i add Office 3 to the picture; how do i keep Office 3 from accessing office 1 stuff? 12:17 < vpnHelper> Title: FAQ (at openvpn.net) 12:18 < cpm> I thought you wanted them to be able to access, , , 12:18 * cpm is very confused. 12:19 < jeffspeff2> i want my servers in office 2 to access some things on the servers and stations of offices 1 and 3. all three offices are seperate companies, i'm calling them office to show geographical seperation. office 1 and 3 don't need to be accessing each other in any way. 12:21 < jeffspeff2> my idea was to do routed vpn on the client systems in offices 1 and 3 to the server in office 2... giving each client it's own vpn ip and security cert, etc. 12:28 < ecrist> afternoon, kids 12:30 < ecrist> jeffspeff2: you can't have confilicting IPs. period. 12:31 < cpm> ecrist, he wants to use the vpn as his access control system, which I think is a bit wrong headed, but I refuse to judge. I just don't think it's going to work very well. 12:36 < ecrist> jeffspeff2: you need to combine some firewall stuff in with the VPN to get what I think you're looking for. 12:37 < ecrist> OpenVPN isn't an access control system, per se. 12:37 < Dougy> sup ecrist 12:40 < Dougy> 13:37 :D 12:40 < Dougy> my fav tiem 12:40 < Dougy> time^ 13:05 -!- bandini [n=bandini@79.16.109.123] has quit [Read error: 60 (Operation timed out)] 13:06 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:12 < jeffspeff2> ecrist, cpm, i'm not wanting an access control system... i have a remote support system, and zenoss setup on my servers. both require network connection (rdp, snmp). i want to make a vpn between the different remote offices to my own, while leaving their existing network infrastructure intact. like have a seperate network only for the vpn. i think if i were to use bridging then there would be a big liability with the offices bein 13:12 < jeffspeff2> g able to access sytems of the other offices. 13:13 < ecrist> jeffspeff2: in that case, just setup a VPN, and for the hosts you want to have access to via the VPN, but them on a separate subnet, in addition to the primary subnet. 13:17 < jeffspeff2> right, and do routed vpn instead of bridge... correct? 13:18 -!- vladi-bg [n=vladi@206-169-1-36.static.twtelecom.net] has quit [Read error: 104 (Connection reset by peer)] 13:18 < ecrist> yep 13:21 < jeffspeff2> ok, now with that setup, i'm curious as to how some of the applications on my end will behave. does the vpn traffic bypass the lan/wan router? like for access the same port on the vpn clients, but they are all behind the same public ip 13:21 < jeffspeff2> or does the public ip even matter? 13:21 < ecrist> public IP doesn't matter to those clients. 13:21 < ecrist> everything will be transmitted across the VPN. 13:22 < jeffspeff2> ok, thanks. :) 14:04 -!- syslogd [n=syslogd@unaffiliated/syslogd] has quit [Read error: 110 (Connection timed out)] 14:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 14:30 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 14:58 -!- ByPasS [n=bypass@taki.secured.org] has left ##openvpn [] 15:01 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 15:14 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 15:30 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Success] 15:34 -!- irado [n=irado@srv1.carv.com.br] has joined ##openvpn 15:39 -!- irado [n=irado@srv1.carv.com.br] has quit ["fuiii!!"] 15:47 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 16:00 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 16:03 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 16:03 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 16:18 -!- ElCheapo [n=elcheapo@d199-126-55-162.abhsia.telus.net] has joined ##openvpn 16:30 < ElCheapo> Hiya. I've been trying to sort out my OpenVPN setup all day and I was hoping somebody would be able to quickly answer a couple of questions. 16:31 < ElCheapo> I'm trying to get it going without the overhead of managing a certificate for every user (unless I can do that automagically) 16:32 < ElCheapo> an authentication scheme similar to SSH/PPTP would be 100% (for ease of managing clients) 16:33 < ElCheapo> Any ideas would be appreciated 16:36 < adie> ElCheapo: do you mean with password auth? 16:36 < ElCheapo> against my ldap server would be best 16:37 < ElCheapo> oh, er.. yes, password 16:39 < adie> ElCheapo: try using --auth-user-pass-verify and wrap an ldapbind in a nasty shell script 16:39 < ElCheapo> cheers 16:40 < adie> dunno if it'll work :-/ - never tried that. 16:41 < adie> I give out p12 files to the users, I'm thinking of storing a cn attribute for the users, and just get the vpn server to poll that and compare it to a ccd directory and update it appropriatly. 16:41 < ElCheapo> I'll let'cha know how I make out 16:41 < adie> what's the clients? 16:42 < adie> win/mac/other *nix? 16:42 < ElCheapo> all of the above :/ 16:43 < adie> - I'd be intrested in how tunnelblick and openvpngui cope with it? 16:44 * adie supports them all too. 16:45 < adie> about 50 active vpn users. 16:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:45 < ElCheapo> busy 16:51 < ElCheapo> auth-pam.pl looks like it might be helpful 17:02 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 17:03 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:03 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 17:04 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:05 -!- jeffspeff2 [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 17:34 < Dougy> evening all 17:34 < Dougy> :O 17:45 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 17:52 < plaerzen> hi 17:53 < plaerzen> I wish TaiSHI was still in here. Made the day a little more entertaining. 18:05 < ecrist> why'd he stop coming? 18:08 < plaerzen> don't know. 18:08 < plaerzen> He just didn't show up one day 18:09 < Dougy> sup ecrist 18:09 < Dougy> heyhey plaerzen :) 18:09 < Dougy> krzee !! 18:09 < Dougy> :p 18:13 < ecrist> sup, Dougy 18:14 < plaerzen> Harro 18:39 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 18:40 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 18:45 < plaerzen> ok guys, I think I'm going to head out. perhaps grab some fast food, wait for the ice-axe in the gut-type feeling, shit a brick then get ready for my rock climbing weekend in the rockies. 18:48 < ecrist> ok? 18:49 < plaerzen> long weekend, booya. 18:49 < ecrist> my weekend started almost 4 hours ago. 18:49 * ecrist gears up for RNC. 18:49 < plaerzen> lucky. mine starts 20 hours from now. 18:50 < plaerzen> see you guys tomorrow. 18:50 * plaerzen waves. 18:50 < ecrist> and mine is over 7 days from now. 18:50 < ecrist> muahahahaha! 18:55 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 19:01 < Dougy> oh 19:01 < Dougy> hi ecrist haha 19:01 * Dougy waves 19:03 -!- jeffspeff2 [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:40 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 19:46 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:49 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:49 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:53 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:53 -!- jeffspeff [n=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:55 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:55 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:57 < Dougy> erm 19:57 < Dougy> connection problems jeffspeff2 ? 19:58 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has joined ##openvpn 19:59 < Dougy> connection problems jeffspeff2 ? 19:59 < Dougy> connection problems jeffspeff ? 20:13 -!- jeffspeff2 [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Connection timed out] 20:36 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 20:37 < jeev> lol 20:38 -!- j1nx3d [n=chatzill@CPE0014bf7eb325-CM00137189e19c.cpe.net.cable.rogers.com] has joined ##openvpn 20:41 < j1nx3d> with openvpn does all data pass through the server or do clients communicate directly? 21:22 -!- j1nx3d [n=chatzill@CPE0014bf7eb325-CM00137189e19c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 21:30 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 21:31 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 21:39 < Dougy> krzee: boo 22:07 -!- jeffspeff [i=jeff@c-98-240-113-135.hsd1.ky.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:11 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:26 -!- mrbnet [n=mrbnet@12-203-40-55.client.mchsi.com] has joined ##openvpn 22:29 < mrbnet> I am running openvpn on openwrt with a client config. It cannot load the certificate file on boot and I believe this so due to a permissions issue. The only way that it will start is if I call the startup script manually. Any ideas? --- Day changed Fri Aug 29 2008 00:33 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 01:35 -!- niekie [i=niek@bergnetworks.com] has joined ##openvpn 01:51 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:51 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 02:08 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Remote closed the connection] 02:08 -!- krzee is now known as krzy 02:09 -!- krzie is now known as krzee 02:09 -!- krzy is now known as krzie 02:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:21 < niekie> G'day :) 02:29 < krzee> gday =] 03:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 03:42 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit [Nick collision from services.] 03:43 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 04:43 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 05:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:38 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 08:14 -!- ByPasS [n=bypass@taki.secured.org] has joined ##openvpn 08:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:45 < ecrist> morning, bitches. 08:48 < cpm> Oh, that's nice. 08:49 < cpm> :) 08:49 < cpm> and a fine morning to you too, , , 08:49 < ecrist> :) 08:49 * ecrist is in vacaction mode. 08:50 < ecrist> I don't know what vacaction is, but it's probably similar to, but more evil, than a vacation. 08:51 < cpm> hrmm. Good thing to keep in mind. 08:55 < cpm> hey, did that fellow who was dreaming about using dozens of routed client vpns in place of a single bridge ever sort himself out? 09:17 < ecrist> no 09:59 -!- pred2k5 [n=Torsten@dslb-088-069-213-042.pools.arcor-ip.net] has joined ##openvpn 09:59 < pred2k5> hi, how to set up a tun device manuallyy? 09:59 < SilenceGold> uh 09:59 < SilenceGold> who was that? cpm..that dreamt of that 09:59 < SilenceGold> pred2k5 to do what? 10:00 < pred2k5> forget about it ;) 10:00 < cpm> SilenceGold, I don't recall who it was. 10:00 < SilenceGold> aw I want to scroll up and laugh 10:01 < cpm> it was from yesterday, 22 or so hours back 10:02 < cpm> that's a guess, don't remember exactly when 10:07 < jeev> dougy 10:08 * niekie has fallen in love with OpenVPN today :) 10:08 * jeev fell in love 3 days ago. 10:08 < niekie> Got it working from my school's WiFi. 10:08 < niekie> So I got internet just like at home, but from school :) 10:09 < niekie> (including printing to my network printer, hehe) 10:09 < niekie> (which came in pretty useful) 10:09 < jeev> you doing redirect-gateway ? 10:10 < niekie> jeev: yup. 10:10 < jeev> awesome 10:10 < niekie> Had to manually set DNS though. 10:10 < jeev> what do you mean 10:10 < jeev> it wouldnt' resolve ? 10:11 < niekie> Yup. 10:11 < niekie> Had to adapt /etc/resolv.conf to use my own nameservers instead of schools. 10:11 < jeev> ahh 10:11 < jeev> you could also push name servers 10:11 < niekie> Didn't pull in the dhcp-option. 10:11 < niekie> Yeah, tried that, didn't work. 10:11 < jeev> ah 10:11 < niekie> But I think you need a script for it under Linux. 10:11 < jeev> no idea 10:12 < niekie> Heh. 10:12 < niekie> Sadly I couldn't get the nm-applet easy OpenVPN setup to work though. 10:12 < niekie> As I had to route it through school's proxy servers, and the applet has no option for that. 10:12 < niekie> Also needed to use TCP instead of UDP. 10:13 < niekie> But oh well, it worked fine once I set it up. 10:13 < jeev> heh 10:14 < niekie> Little bit slower than actual home internet though ;) 10:14 < niekie> Due to low upload and higher download. 10:15 < niekie> Which causes the cap when using redirect-gateway over OpenVPN. 10:15 < niekie> Still, 80-100 kB/s.. can't really complain. :) 10:15 < jeev> yep ep 10:15 < jeev> yep 10:15 < jeev> dood i upgraded my modem yesterday 10:15 < jeev> 16mbit 10:15 < niekie> :o 10:15 < jeev> even though i have an uncapped cable too 10:15 < niekie> 16mbit up? 10:15 < jeev> i should really find the 16mbit capable modem and change MAC already 10:16 < jeev> no man 10:16 < jeev> 2 10:16 < niekie> Heh. 10:16 * niekie decided not to use his paid datacenter server as OpenVPN endpoint for redirect-gateway. 10:17 < niekie> Because I need to pay for bandwidth there :p 10:17 < SilenceGold> lol 10:17 < ecrist> you know an easier way to get internet access at school? 10:17 * SilenceGold runs public IP VPN service for people who do want it 10:17 < jeev> that's what i do 10:17 < jeev> but i dont use much bandwidth so it's fine 10:17 < ecrist> ssh PROXY and firefox 10:17 < niekie> Err.. or just logging in over the web proxy and browsing the web normally. 10:18 < SilenceGold> it's average of like 30 mb for a casual web browser..per week 10:18 < SilenceGold> it's not really much 10:18 < niekie> 30mb per week? 10:18 < niekie> You really don't use much then :p 10:18 < SilenceGold> yea 10:18 < SilenceGold> no not me 10:18 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:18 < SilenceGold> I see many of those users who are using my VPN service 10:18 < SilenceGold> that they use average 30 mb per week 10:18 < niekie> Ah. 10:18 < SilenceGold> students are apparently using like 1 GB each week 10:19 < niekie> Probably youtubing :p 10:19 < SilenceGold> maybe 10:19 < SilenceGold> i don't log their activities 10:19 < SilenceGold> just how much they use 10:19 < niekie> Heh. 10:19 -!- jeev [n=j@unaffiliated/jeev] has quit [] 10:20 < SilenceGold> I had already booted few for excessive usage 10:20 < SilenceGold> :) 10:20 < SilenceGold> well, it's incorrect to say "I" 10:20 < SilenceGold> since it's a script that does it for me 10:20 < niekie> Excessive usage shouldn't be a problem for my ISP. 10:21 < niekie> They say no data limit + no fair use policy ;) 10:21 < niekie> Also, they give SSH accounts to their subscribers for their servers. 10:21 < niekie> Not that I really use those. 10:21 < niekie> I already have my own server ;) 10:22 < ecrist> niekie: you in high school? 10:23 < niekie> ecrist: yeah, MBO ICT Level 4. 10:23 < niekie> (Dutch) 10:23 < niekie> First year. 10:24 < ecrist> ah 10:24 < SilenceGold> I remember htat I used to get shell account when I signed up for a dialup service for ISPs 10:24 < SilenceGold> they were popular 10:25 < niekie> Heh. 10:25 * niekie has one of the most relaxed ISPs in NL. 10:25 < niekie> They even give you custom rDNS :) 10:25 < niekie> And several other neat services. 10:25 < niekie> And you're allowed to home-host. 10:27 < niekie> (you pay a lot for it, though) 10:27 < niekie> Anyway, I'm gone for now. 10:28 < ecrist> meh, most of the ISPs here do that... 10:30 < ecrist> fucking a. 10:30 < ecrist> my new HP printer supports IPv6 10:30 < niekie> :o 10:31 < niekie> My new HP printer supports USB2.0 :p 10:31 < niekie> And I got it for free from HP ;) 10:31 < ecrist> I paid $377.00 US 10:32 < niekie> Heh. 10:42 < ecrist> woot: 10:42 < ecrist> TCP/IP(v6) 10:42 < ecrist> Status: Ready 10:42 < ecrist> Link-Local address: FE80::21B:78FF:FE27:D91 10:42 < ecrist> Stateless (from Router): 2001:470:1F07:4AD:21B:78FF:FE27:D91 10:42 < ecrist> Stateful (from DHCPv6): Not configured 10:43 * ecrist <3 his new HP printer. 10:43 < SilenceGold> you already have an ipv6 network? 10:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:43 < ecrist> SilenceGold: I've had one for well over a year. 10:44 -!- pred2k5 [n=Torsten@dslb-088-069-213-042.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 10:44 < ecrist> actually, I've got a couple. 10:44 < ecrist> www.secure-computing.net has address 209.240.66.150 10:44 < ecrist> www.secure-computing.net has IPv6 address 2001:4980:1:111::150 10:44 < ecrist> :) 10:44 < Dougy|Work> nice. 10:44 < Dougy|Work> :O 10:45 < ecrist> that's a native block from my ISP. 10:47 * niekie has IPv6 too :) 10:47 < niekie> Through a tunnel provided by my ISP. 11:36 < Dougy|Work> Erm 11:36 < Dougy|Work> Crap. 11:38 < plaerzen> morning irc 11:42 < plaerzen> ecrist: I wish I used freebsd 11:50 < ecrist> why's that? 11:51 < plaerzen> because, we use a smattering of rhel4, fc4, fc6.... it's shit. RPMs are a pain and are unmaintained after 2 versions.... 11:51 < plaerzen> freebsd is vastly superior 11:51 < ecrist> heh, yeah, where I work I've got 30+ FreeBSD servers. 11:52 < ecrist> aside from my Mac, a couple windows client machines, everything else is FreeBSD. 11:53 < ecrist> Dougy|Work: what's crap? 11:56 -!- xattack [i=invitado@132.248.108.239] has joined ##openvpn 11:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:03 < cpm> Caribou Gorn. 12:16 < Dougy|Work> ecrist: nevermind 12:20 < krzee> moin 12:21 < krzee> if any of you are my new neighbor, thank you for using WEP 12:27 -!- OxB001 [n=Mathieu@66-254-37.66.altaspectra.com] has joined ##openvpn 12:27 -!- kraut [i=kraut@blackhole.packetloss.biz] has quit [Connection timed out] 12:29 < OxB001> hi, I have a quick question about static IP for the tunnel endpoints. Server is ok since we configured the network it should use.. but how do I go around and make sure I can define an IP for every client that will not change overtime? I have added 'ifconfig 10.10.13.5 10.10.13.1' to a client config... just want to make sure everything is alright before I reboot the client 12:30 < krzee> instead of doing it in the client config 12:31 < krzee> push it in a ccd entry 12:31 < krzee> !/30 12:32 < Dougy|Work> krzee!!!!!!!!!! 12:33 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 12:33 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 12:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 12:35 < krzee> !/30 12:35 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) it is possible to avoid this behavior if you use the beta version with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 12:35 < Dougy|Work> sup krzee ;o 12:35 < krzee> hey doug 12:35 < Dougy|Work> !menu 12:35 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 12:35 < Dougy|Work> :) 12:35 < Dougy|Work> @ last result 12:36 < krzee> OxB001, if you use topology subnet it will be easier to make sure you're pushing the right ips too 12:36 < krzee> its a new feature in the beta version (which i use and many others do, no reports of instability I've seen) 12:36 < Dougy|Work> krzee: how was your birthday 12:36 < krzee> it was great 12:36 < OxB001> I'm not familiar with ccd entries... but thanks I'll have a look 12:36 < Dougy|Work> get drunk as hell? 12:36 < krzee> !ccd 12:36 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client 12:37 < Dougy|Work> !forum 12:37 < vpnHelper> Dougy|Work: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 12:37 < Dougy|Work> ^^ 12:37 < OxB001> but how do you go around an specify which client is which 12:37 < krzee> using the client-config-ir 12:37 < OxB001> (clients are on DSL lines and get a new public IP on every reconnect) 12:37 < krzee> dir 12:37 < krzee> then you make an entry for each client 12:37 < rmull_> OxB001: Each ccd entry has a name corresponding to the name on the cert. 12:37 < Dougy|Work> krzee: did you see the skin I put up? 12:37 < OxB001> ah 12:37 < OxB001> yeah 12:37 < OxB001> thanks 12:37 < krzee> as a file named by the common name of the clients cert 12:39 < krzee> Dougy|Work, some of that isnt english 12:39 < krzee> Cevap Yaz...? 12:39 < Dougy|Work> krzee: where do you see that 12:39 < krzee> Alinti...? 12:39 < Dougy|Work> some middle eastern guy made it 12:39 < Dougy|Work> it was on vb.org 12:39 < Dougy|Work> Where do you see that? 12:39 < krzee> im looking at your OpenVPN install guide 12:39 < Dougy|Work> oh 12:39 < Dougy|Work> the postbit 12:39 < Dougy|Work> hmmm 12:39 < Dougy|Work> fuckin a 12:40 < krzee> the buttons 12:40 < Dougy|Work> the skin is perfect 12:40 < Dougy|Work> but the buttons are in arabic 12:40 < Dougy|Work> UGH 12:40 * Dougy|Work slams head against wall 12:41 < rmull_> s/arabic/english :P 12:41 < Dougy|Work> I have the psd's here also 12:41 < Dougy|Work> i just need someone to edit + reslice 12:41 < Dougy|Work> :< 12:42 * Dougy|Work does not have or know photoshop 12:42 < Dougy|Work> :( 12:42 < rmull_> I belive the GIMP can handle PSD. 12:42 < krzee> you have other skins... 12:42 < krzee> steal from them 12:42 < Dougy|Work> krzee: i like this one :( 12:43 < krzee> just steal buttons then 12:43 < Dougy|Work> rmull_: it can, but it doesn't have a slice thingie 12:43 < Dougy|Work> they're gonna look out of places :p 12:43 < Dougy|Work> place^ 12:43 < krzee> not as out of place as arabic 12:43 < Dougy|Work> i can use the default vb ones 12:43 < Dougy|Work> those would work 12:44 < Dougy|Work> hm 12:44 * Dougy|Work fixes 12:46 < Dougy|Work> krzee: look now 12:46 < Dougy|Work> better? 12:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:47 < Dougy|Work> Damn him. 12:47 < Dougy|Work> :< 12:47 < Dougy|Work> rmull_: looks better now? 12:48 < rmull_> I didn't see the Arabic before (didn't look for it) but yes, seems fine to mee :P 12:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:48 < Dougy|Work> looks ok now? 12:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:49 < Dougy|Work> wb krzee 12:50 < krzee> thx 12:50 < krzee> !sample 12:50 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 12:50 * rmull_ whispers: put it in the wiki 12:51 < krzee> heh i was tossing it in the forum under examples 12:51 < rmull_> ah 12:51 < krzee> im putting my writeups in the wiki 12:51 < Dougy|Work> krzee: looks better now? 12:51 < Dougy|Work> (the icons) 12:51 < krzee> so far only 1 writeup made by me tho 12:55 < Dougy|Work> thanks krzee!! 12:56 < krzee> ya buttons are better 12:56 < krzee> !wiki 12:56 < vpnHelper> krzee: "wiki" is https://www.secure-computing.net/wiki/index.php/OpenVPN 12:57 < Dougy|Work> krzee: I'm going to make you a "hidden" moderator 12:57 < Dougy|Work> do you mind? 12:57 < krzee> nah you can gimme all the access you want 12:57 < krzee> heh 12:57 < Dougy|Work> k 12:57 < Dougy|Work> and I'll make it "hidden" if you want? 12:57 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 12:57 < krzee> dunno the diff 12:57 < krzee> but sure 12:58 < Dougy|Work> well 12:58 < Dougy|Work> hidden is basically when you post it says "registered member" like everyone else instead of "Moderator" 12:58 < krzee> oh 12:58 < krzee> same diff to me 12:58 * Dougy|Work shrugs 12:58 < Dougy|Work> You tell me what you want i'll do it 12:59 < krzee> hidden is fine 13:00 < Dougy|Work> LOOOL 13:00 < Dougy|Work> i'm looking thru ircpimps.org 13:00 < Dougy|Work> krzee really does look like a pimp 13:00 < Dougy|Work> rofl 13:00 < krzee> hah 13:00 < Dougy|Work> http://www.ircpimps.org/pics/krzee/krz_mel.jpg 13:00 < Dougy|Work> ^ 13:01 < Dougy|Work> you either look like a pimp 13:01 < Dougy|Work> or you're stoned as hell 13:01 < Dougy|Work> or both 13:01 < krzee> haha she was nekkid in that pic too 13:01 < krzee> the rest of the pictures from that day show it off more ;] 13:01 < rmull_> What channel does she hang out it <_< 13:01 < krzee> lol 13:01 < krzee> she dunno irc 13:02 < krzee> or inet at all 13:02 < krzee> i think she has dialup aol even 13:02 < Dougy|Work> lol 13:02 < Dougy|Work> well 13:02 < Dougy|Work> i guess i wont look at the rest of those pics at work, eh kreg_work 13:02 < Dougy|Work> er krzee 13:02 < Dougy|Work> lol 13:03 < krzee> nah nothing bad on that page 13:03 < krzee> those are private stash 13:03 < Dougy|Work> lol 13:04 < kreg_work> lo 13:04 < kreg_work> ah typo. 13:04 < krzee> hehe kreg got false pinged 13:04 < krzee> hey kreg =] 13:04 < Dougy|Work> haha 13:04 < Dougy|Work> sup kreg :) 13:05 < kreg_work> yo! 13:06 < Dougy|Work> whatsup 13:06 < Dougy|Work> krzee: do you like that sin? 13:06 < Dougy|Work> skin^ 13:06 < krzee> i like sin more, but ya 13:06 < krzee> heh 13:08 < Dougy|Work> :p 13:20 < Dougy|Work> so 13:20 < Dougy|Work> krzee: what other forums do I need to add 13:20 < Dougy|Work> krzee: http://www.ovpnforum.com/showgroups.php 13:21 < krzee> looks fine for now 13:21 < Dougy|Work> Hmm. 13:21 < Dougy|Work> Wanna set up forumbot 13:21 < Dougy|Work> ? 13:21 < krzee> if everyone starts posting in 1, we can think bout splitting it into more 13:21 < krzee> ya ill add it to vpnhelper at some point 13:22 < rmull_> Dougy|Work: Word of advice from ex-forum admin - Wait and see if any of this is necessary... 13:22 < Dougy|Work> rmull_: meh 13:22 * Dougy|Work shrugs 13:22 -!- OxB001 [n=Mathieu@66-254-37.66.altaspectra.com] has left ##openvpn ["Quitte"] 13:22 < Dougy|Work> I have no idea how mailing lists work. 13:22 < Dougy|Work> Or I'd see about that. 13:22 < rmull_> Dougy|Work: What do you mean? 13:23 < Dougy|Work> I'd post something about the forum on the mailing list (openVPN one) 13:23 < Dougy|Work> No idea how those work 13:24 < rmull_> I've got some experience (as a user, not admin) of both Majordomo and Ecartis 13:24 * Dougy|Work shrugs 13:24 < rmull_> Oh - you want to join the openvpn list? 13:24 < Dougy|Work> I don't know anything about it other than what it is 13:25 < Dougy|Work> Is there a URL to it 13:25 < Dougy|Work> !menu 13:25 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 13:25 < rmull_> https://lists.sourceforge.net/lists/listinfo/openvpn-users 13:25 < krzee> !mail 13:25 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net) 13:25 < vpnHelper> krzee: "mail" is http://sourceforge.net/mail/?group_id=48978 13:26 < Dougy|Work> Are there a lot of people on it? 13:26 < Dougy|Work> oh 13:26 < Dougy|Work> it says 13:26 < Dougy|Work> lfmao 13:27 < Dougy|Work> Can we post stuff on it ourselves? 13:27 < rmull_> That's the point of it 13:27 < krzee> heh 13:27 * Dougy|Work doesn't know any of this 13:28 < Dougy|Work> sf.net is slow today 13:28 < krzee> its like the forum, only its a mail list 13:28 < krzee> and it is highly used 13:29 < Dougy|Work> Hm 13:29 < Dougy|Work> I need to figure out how to post on it o.O 13:29 < rmull_> Register, send mail to openvpn-users@lists.sourceforge.net 13:30 < Dougy|Work> oh, just email it. mailing list. duh. 13:30 < Dougy|Work> So basically be like "Hey everyone, I'm starting a forum as another method of getting support for openvpn" blahblah? 13:30 < krzee> ill send a post to it for ya 13:30 < Dougy|Work> krzee: :D 13:32 -!- oxygene [n=oxygene@khepri.openbios.org] has left ##openvpn [] 13:36 < krzee> sent 13:37 < Dougy|Work> word 13:37 * Dougy|Work looks around 13:37 < krzee> Hey list, 13:37 < krzee> I frequent the ##OpenVPN IRC channel on freenode to give support. 13:37 < krzee> One of the people in the channel decided to make a forum for openvpn, since there doesn't seem to be one. 13:37 < krzee> The URL to it is: http://www.ovpnforum.com/ 13:37 < krzee> It is open to all who would like to participate. 13:37 < krzee> It is brand new so there is not much content on it yet, so we'll see how it goes. 13:37 < krzee> -krzee 13:37 < Dougy|Work> where does this show up 13:38 < Dougy|Work> like will it show up here: http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-users 13:38 < Dougy|Work> ? 13:38 < vpnHelper> Title: SourceForge.net: openvpn-users (at sourceforge.net) 13:38 < krzee> yes 13:38 < Dougy|Work> Nice. 13:38 * Dougy|Work will keep his eyes open 13:38 < krzee> as you can see its still got 08-25 as newest message 13:39 < krzee> so archiving isnt real-time 13:39 < Dougy|Work> yeah :S 13:39 < Dougy|Work> that sucks 13:39 < Dougy|Work> lol 13:39 < krzee> *shrug* its nice theres an archive 13:39 < Dougy|Work> yeah 13:39 < Dougy|Work> oo 13:39 < Dougy|Work> I just got the email 13:39 < Dougy|Work> !!! 13:39 < vpnHelper> Dougy|Work: Error: "!!" is not a valid command. 13:39 < krzee> http://sourceforge.net/mailarchive/forum.php?thread_name=299AC036-C3FF-4D4E-858D-7B8507E99B16%40doeshosting.com&forum_name=openvpn-users 13:39 < Dougy|Work> :O 13:39 < vpnHelper> Title: SourceForge.net: openvpn-users (at sourceforge.net) 13:40 < Dougy|Work> yeah, i just got it emailed to me 13:40 < krzee> theres my message announcing the wiki 13:40 < Dougy|Work> nice 13:40 < Dougy|Work> i just got the one announcing the forum 13:40 < Dougy|Work> Thx jeff :) 13:40 < krzee> yw 13:41 < krzee> ill bbiab 13:41 < Dougy|Work> Cya 13:53 < krzee> hey dougy 13:53 < krzee> wasnt it you that wanted the security writeup? 13:54 < Dougy|Work> it was me indeed 13:54 < krzee> http://www.sans.org/reading_room/whitepapers/vpns/1459.php 13:54 < vpnHelper> Title: SANS Institute - OpenVPN and the SSL VPN Revolution (at www.sans.org) 13:54 < krzee> enjoy 13:54 < krzee> =] 13:54 < Dougy|Work> A bit of a read for today but bookmarked none the less 13:55 < Dougy|Work> thatd be nice to post on the forum 13:55 < Dougy|Work> krzee: http://www.ovpnforum.com/showthread.php?p=5#post5 <-- isn't that kinda erm 13:55 < Dougy|Work> pointless o.O 13:55 < Dougy|Work> no offense 13:55 < krzee> building your own rpm? 13:55 < Dougy|Work> no 13:55 < Dougy|Work> just posting the URL 13:55 < Dougy|Work> lol 13:55 < krzee> *shrug* 13:56 * Dougy|Work shrugs 13:56 < krzee> why rebuild the wheel 13:56 < krzee> ild rather point to an existing wheel 13:56 < krzee> you can remove it if you want 13:56 < Dougy|Work> Nah 13:56 < Dougy|Work> I was just wondering why you didn't put a sentence with it is all 13:56 < Dougy|Work> not a big deal 14:04 -!- xattack [i=invitado@132.248.108.239] has quit ["Leaving"] 14:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:43 < ecrist> lol, krzee is a junior member. 14:43 < Dougy|Work> lol 14:43 < Dougy|Work> he's not ecrist 14:43 < Dougy|Work> he's just "displaying" as that 14:43 < Dougy|Work> ecrist: http://www.ovpnforum.com/showgroups.php 14:47 * ecrist can't find his gun belt 14:47 < Dougy|Work> how was the orientation 14:48 < Dougy|Work> why do you need a gun belt :S 14:50 < Dougy|Work> i love how my vps fails to respond 14:50 < Dougy|Work> again 14:51 < ecrist> Dougy|Work: I'm a reserve sheriff's deputy as a hobby. 14:51 < Dougy|Work> Nice 14:54 < ecrist> well, I'm off, going to spend some time on the lakes I think, tonight. 14:54 -!- mode/##openvpn [+o Dougy|Work] by ChanServ 14:56 <@Dougy|Work> whoa 14:56 <@Dougy|Work> Cool 14:56 <@Dougy|Work> Who dun it? 14:56 * Dougy|Work pokes ecrist 15:01 -!- ByPasS [n=bypass@taki.secured.org] has left ##openvpn [] 15:07 * Dougy|Work pokes krzie 15:19 < plaerzen> Awe, lucky, I have yet to get my +o badge. 15:19 <@Dougy|Work> I don' 15:19 <@Dougy|Work> I don't have access* 15:20 <@Dougy|Work> -> *nickserv* listchans 15:20 <@Dougy|Work> - 15:20 <@Dougy|Work> -NickServ- No channel access was found for the nickname Dougy. 15:20 <@Dougy|Work> So, I'm still trying to figure out how/why I have op. 15:20 <@Dougy|Work> :S 15:20 <@Dougy|Work> I don't mind it at all, of course 15:20 <@Dougy|Work> but 15:20 <@Dougy|Work> lol 15:30 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has joined ##openvpn 16:04 <@Dougy|Work> hey 16:16 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Client Quit] 16:29 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:33 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 16:47 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 16:48 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 17:35 -!- aptanet [n=Paul@87-127-190-18.no-dns-yet.enta.net] has quit ["Leaving"] 17:55 <@Dougy|Work> I'm going home 17:55 <@Dougy|Work> cya 18:45 -!- explody [n=groggy@gw.gemstone.com] has joined ##openvpn 18:48 < explody> anyone have some insight on the strength of using only certificates for auth? we're concerned that if a road warrior's cert gets stolen, an attacked could privately crack on it for weeks without us even knowing 19:50 -!- LumberCartel [n=IceChat7@24.86.160.252] has joined ##openvpn 19:52 < LumberCartel> Hello folks. I have a client with OpenVPN on their laptop running WinXP with SP2, and sometimes when they reboot their network adapter is in a "Disabled" state. Is there a command-line way of enabling an adapter in Windows so that I can automate this fix for them, or some other solution? Thanks in advance. 20:02 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: kala, Concept-P, dfas, plik, djs 20:03 -!- Netsplit over, joins: kala, dfas, Concept-P, djs, plik 20:05 < LumberCartel> Bah, Windows sucks. It can't be automated. 20:07 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:07 < Dougy> sup all! 20:09 < Dougy> ecrist: yo 20:10 < LumberCartel> Dougy: I'm trying to enable a NIC from the command-line in WinXP. The "netsh" stuff seems to be b0rked, which is typical of Microsoft's crap. 20:11 < Dougy> Heh. 20:11 < Dougy> I don't use windows. I'm useless here probably. 20:11 < Dougy> Can you be a bit more specific 20:11 < Dougy> man, I wish I could make Dougy|Work op me 20:12 < LumberCartel> It's for a client. The problem is that their OpenVPN network adapter comes up disabled sometimes. 20:12 < LumberCartel> End users aren't very good at right-clicking on network adapters and selecting "Enabled." Someone else is telling this guy (who is the owner of the company) to switch to the Microsoft VPN to solve the problem, but we just moved everyone over to OpenVPN. I hate idiot competitors like this. 20:14 < Dougy> Heh. 20:14 < Dougy> Competition man. 20:14 < Dougy> Ermm. 20:14 < LumberCartel> It's working fine for all the other users. This is just some idiot being a f***ing ***hole. 20:14 < LumberCartel> Unfortunately he has the boss's ear. 20:15 < LumberCartel> If I can fix this, though, then he'll lose credibility. 20:15 * LumberCartel hates supporting Windows networks because of the politics that seem to go along with them. 20:15 < Dougy> Haha. 20:16 < Dougy> Did you try reinstalling opneVPN? 20:16 < LumberCartel> Yeah. 20:17 < Dougy> Hm. 20:17 * Dougy tries to think 20:17 < LumberCartel> Never have I seen this problem before. I have OpenVPN deployed at many sites. 20:17 < Dougy> I'm pretty useless 20:17 < Dougy> I don't even know what netsh is >< 20:19 < LumberCartel> The "netsh" command is b0rked. 20:19 < LumberCartel> It seems to be Microsoft's answer to having an ifconfig type of tool. 20:20 < Dougy> Oh. 20:20 < Dougy> My vaporware is better than your vaporware. 20:21 * LumberCartel thinks the world will be a much better place when Microsoft finally goes out of business. 20:21 < Dougy> That will never happen 20:21 < Dougy> however 20:21 < Dougy> all the desktops I build for customers now 20:21 < Dougy> Every single one has Ubuntu :D 20:23 < LumberCartel> For the Widows systems I build, I always put on lots of free software including OpenOffice.org, Mozilla Thunderbird, TightVNC, and the major web browsers (Opera, Mozilla Firefox, Apple Safari, and Lynx), and set them to handle things by default. 20:24 < Dougy> Go you 20:25 < LumberCartel> For systems donated, since they come without Widows licenses, they get Ubuntu (with all its updates). 20:25 < LumberCartel> So far feedback from users has been that they really like it. 20:25 < Dougy> Yes 20:25 < LumberCartel> For servers I use NetBSD. 20:26 < Dougy> Pfft. 20:26 < Dougy> Debian + CentOS + FREEBSD = Win 20:26 < LumberCartel> In the near future I'm planning to try PC-BSD, DesktopBSD, and MidnightBSD, all of which are supposed to be end-user friendly like Ubuntu is. 20:27 < Dougy> I've heard DesktopBSD is good 20:27 < LumberCartel> If Microsoft Widows has FreeBSD in it, it's only portions of the network stack as I understand it, otherwise there'd be an "ifconfig" command in there and I wouldn't be having to screw around with this "netsh" garbage that simply doesn't work. 20:29 < LumberCartel> mota: According to http://www.groupsrv.com/dotnet/about210287.html that "netsh" command doesn't work properly in WinXP; only Win 2003. 20:29 < vpnHelper> Title: How to Dis/Enable Network Adapter? (at www.groupsrv.com) 20:30 < LumberCartel> Sorry, wrong channel. 20:30 < LumberCartel> Folks in #windows are trying to help with this too, but their solutions aren't working. They claim it does work, but this "netsh" command hasn't worked on 3 machines now. 20:31 < Dougy> Haha 20:31 < Dougy> 03 sucks 20:33 < Dougy> er 20:33 < Dougy> XP* 20:33 < Dougy> Anyway. 20:33 < Dougy> Have you tried the mailing list, LumberCartel? 20:33 < Dougy> I'd say check the forum, but I just set the forum up today. 20:34 < LumberCartel> Forum for OpenVPN? 20:34 < Dougy> Yup 20:34 < Dougy> !forum 20:34 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 20:34 < Dougy> Its brand spanking new 20:34 < Dougy> so not much there 20:34 < LumberCartel> Nice! 20:34 < Dougy> :) 20:34 * LumberCartel spanks the forum in a user-friendly way. 20:34 < Dougy> Haha 20:34 < Dougy> Join up o.O 20:37 * Dougy pokes LumberCartel 20:38 < LumberCartel> I stopped joining forums a long time ago. I'll participate in those that allow anonymous postings (even when the responses are moderated), but otherwise I just don't have the time to keep up. I simply had to stop a long time ago. 20:39 * Dougy pouts 20:40 < LumberCartel> Sorry, it's just that I've lost too many billable hours trying to keep up with forums in the past -- they're addictive to me and I just have to stay away from them. 20:40 < LumberCartel> Just look at how much time I spend in IRC already. =( 20:42 < Dougy> Haha. 20:42 < Dougy> I feel your pain. 20:43 < LumberCartel> I feel like I want to join though. 20:43 < LumberCartel> But I'm not going to. 20:43 * Dougy wants you to join 20:43 < Dougy> joiiiiiin... 20:43 < Dougy> joiiiiiin... 20:43 < Dougy> joiiiiiinnnnnnnnnnn 20:43 * LumberCartel smiles. 20:43 * Dougy talks like it's a cult 20:43 < LumberCartel> I'll tell others too. 20:43 < Dougy> We neeeeed you. 20:43 < Dougy> Haha. 20:43 < Dougy> :) 20:44 < LumberCartel> You should perhaps let the OpenVPN webmasters know about it so they can add it to the resources section. I'm sure that'll get you loads of members. You should, before doing that, include a notice that the username and password they choose should not match anything that's official OpenVPN stuff. 20:44 < LumberCartel> (A show of good faith, in a way.) 20:45 < Dougy> Ehh. 20:45 < Dougy> if the openvpn webmasters abandoned their own irc channel 20:45 < Dougy> why would they care about a forum 20:46 < LumberCartel> ...because someone else would be maintaining it. 20:46 < Dougy> good point. 20:48 < Dougy> where's their rseources section? 20:48 < Dougy> their resources 20:48 < LumberCartel> If they don't have one, then maybe they need one. 20:48 < LumberCartel> Or link it from the "help" section that points to this IRC channel. 20:48 < LumberCartel> My wife wants another massage. See you folks later. 20:48 -!- LumberCartel [n=IceChat7@24.86.160.252] has quit ["Go Team Venture!"] 20:49 < Dougy> I don't see the hel psection either 20:49 < Dougy> !help 20:49 < vpnHelper> Dougy: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 20:49 < Dougy> oh 20:49 < Dougy> lame 21:17 -!- djs26 [n=djs@unaffiliated/djs26] has joined ##openvpn 21:29 < Dougy> hey djs26 21:29 -!- djs [n=djs@unaffiliated/djs26] has quit [Nick collision from services.] 21:29 -!- djs26 is now known as djs 21:30 < Dougy> hey djs 21:45 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 21:46 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:55 -!- jeev [n=j@unaffiliated/jeev] has joined ##openvpn 21:55 < Dougy> JEEV 21:55 < Dougy> :O 21:55 * Dougy needs ecrist to shwo up 21:55 < Dougy> show^ 22:01 < jeev> sup 22:03 < Dougy> yoyo 22:03 < Dougy> whats up jeev 22:08 < jeev> nothin 22:08 < jeev> was invited to a dinner 22:08 < jeev> so i'm gonna put on my 65k watch 22:08 < jeev> lol 22:09 < Dougy> lol 22:09 < Dougy> jesus christ 22:09 < Dougy> my life isnt worth 65k. 22:10 -!- dfas [n=none@10.201.216.81.static.s-o.siw.siwnet.net] has quit [Connection timed out] 22:13 -!- socialist [n=groggy@gw.gemstone.com] has joined ##openvpn 22:21 * ecrist is back. 22:21 < Dougy> ecrist!! 22:21 < Dougy> wb 22:21 < Dougy> Erm question for you 22:22 < ecrist> explody: password protect your certificates for clients. 22:22 < ecrist> the only way that can really help minimize that risk. 22:22 < Dougy> ecrist, how/who/why opped Dougy|Work ? 22:22 < ecrist> if that's not enough, add a second authentication token, such as a username/password. 22:22 -!- JohnMahowald [n=john@fedora/fedorared] has quit [Read error: 113 (No route to host)] 22:23 < ecrist> Dougy: I did, before I left. 22:23 < Dougy> Oh 22:23 < Dougy> Thank you :) 22:24 < Dougy> How was whatever you did/ 22:24 < Dougy> ? 22:24 < ecrist> boring, tonight. nothing going on. 22:24 < Dougy> lame. 22:24 < ecrist> I hope the next three days are busier. 22:24 < Dougy> what's going no? 22:24 < Dougy> on^ 22:26 < ecrist> Republican National Convention. 22:26 < Dougy> oh, right. 22:26 < Dougy> :p 22:26 < Dougy> Btw, if you want to deop Dougy|Work, go for it. its kinda just .. idling 22:26 < Dougy> o.o 22:27 -!- Irssi: ##openvpn: Total of 33 nicks [1 ops, 0 halfops, 0 voices, 32 normal] 22:28 -!- mode/##openvpn [-o Dougy|Work] by ChanServ 22:28 -!- explody [n=groggy@gw.gemstone.com] has quit [Read error: 110 (Connection timed out)] 22:28 < Dougy> :) 22:28 < Dougy> Thank for the op though eric 22:28 < Dougy> that was pretty cool 22:28 < Dougy> :) 22:28 < ecrist> np 22:28 < Dougy> Im gonna go sleep 22:28 < Dougy> Night :) 22:28 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 22:53 -!- A|3x [n=alex@c-76-115-64-119.hsd1.or.comcast.net] has joined ##openvpn 23:06 < A|3x> i get this error message after changing ip: openvpn[14561]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 23:18 -!- plaerzen [n=cam@S010600119505deed.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 23:35 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has joined ##openvpn 23:35 < quentusrex_lapto> Hello 23:37 < quentusrex_lapto> I'm trying to setup an easy system to install vpn certs for laptops. I want to be able to package the client install so that it uses the custom cert(unique to every machine). Is this possible? 23:49 < SilenceGold> yea it's possible --- Day changed Sat Aug 30 2008 00:03 < ecrist> quentusrex_lapto: I've written a perl script to do all that for you. 00:03 < ecrist> https://www.secure-computing.net/ssl-admin 00:03 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 00:04 < ecrist> it's not in the easiest form for consumption there, but if you can use perl, that'll get you there. 00:04 < ecrist> if you have problems, let me know and I'll try to clean it up for you. 00:05 < ecrist> if you're on FreeBSD, install the port, which is in a better form from /usr/ports/security/ssl-admin 00:05 * ecrist goes to bed. 00:07 < SilenceGold> nite 00:21 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 00:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:08 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 01:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:46 < quentusrex_lapto> Can I generate 100 different certs? and have them all named the same file name on each of the different machines? 01:50 < krzee> sure 01:50 < krzee> as long as common name is different 01:50 < krzee> although managing them while created wont be as easy 01:50 < krzee> and knowing which to send where 01:50 < krzee> but ya 01:51 < krzee> filename is not important 01:58 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has quit [Read error: 113 (No route to host)] 02:47 -!- kraut [i=kraut@blackhole.packetloss.biz] has joined ##openvpn 02:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:49 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has joined ##openvpn 04:00 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 04:00 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 04:16 < kala> quentusrex_lapto: what operating system do you run on the laptops? 04:17 < quentusrex_lapto> debian 04:17 < kala> oh 04:17 < kala> yep, then perl is probably your friend 04:44 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 04:48 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 05:35 -!- A|3x [n=alex@c-76-115-64-119.hsd1.or.comcast.net] has quit [Read error: 113 (No route to host)] 06:40 -!- ams [i=ams@gnu/inetutils/ams] has joined ##openvpn 06:41 < ams> hi hackers! 06:42 < ams> Say i have the following setup: {internet} -- box with two nic -- switch -- {lots of machines}, `box with two nics' is running openvpn, how would i allow the machines behind the `box wih two nics' to access the tunnel? 07:22 -!- weatherhead [n=danw@cpc1-midd4-0-0-cust43.midd.cable.ntl.com] has quit [Remote closed the connection] 08:03 < ecrist> quentusrex_lapto: that's a future feature of ssl-admin, to create bulk certificates and distribute them. 08:22 -!- rmull_ [n=boom@c-76-117-208-224.hsd1.nj.comcast.net] has quit ["leaving"] 08:25 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 08:25 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 08:54 -!- ng12345 [n=chatzill@c-68-46-184-46.hsd1.pa.comcast.net] has joined ##openvpn 08:54 < ng12345> hi i was wondering if anyone would be able to help me with my openvpn config 08:55 < ng12345> i posted recently to the mailing list but didn't realize there was an irc channel so i thought i would check it out 08:56 < ng12345> i've been banging my head against the wall for a while trying to get the client-config-dir command working 09:15 < ng12345> anyone here? 09:30 < SilenceGold> yea we are here 09:31 < SilenceGold> it's counter productive when you haven't mentioned what the problem is..and we're sitting here ignoring you 'cause of that. 09:34 < ng12345> oh ok 09:34 < ng12345> well i dont know how posting works in this channel 09:34 < ng12345> so was hoping for some sort of an intro 09:35 < ng12345> anyways the problem is the client-config-dir command doesn't seem to execute 09:35 < ng12345> i'm running a site to site vpn using linksys routers as the openvpn client and server 09:36 < ng12345> the config files and keys are stored in the /jffs folder of each router 09:36 < ng12345> the server config file contains the command "client-config-dir /jffs/ccd" 09:37 < ng12345> within /jffs/ccd there is one file named client with 2 lines in it : iroute 192.168.1.0 255.255.255.0 and push "route 192.168.7.0 255.255.255.0" 09:37 < ng12345> -- sorry, the server lan ips are 192.168.0.0 and the client lan ips are 192.168.1.0 the purpose of pushing that route is so i can see that it is working. however everytime i connect the client, the client successfully connects but does not route the pushed route 09:38 < ng12345> should i copy paste my config files? -- they are pretty long and it already feels like i've spammed the channel with chat 09:40 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 09:41 < ng12345> or am i still being ignored? 09:52 < SilenceGold> no I'm just busy 09:52 < SilenceGold> checking irc when I have a chance 09:53 < SilenceGold> pastebin.com 09:53 < SilenceGold> paste your configs from both sides 09:53 < SilenceGold> I'll see if I can give a hint on what is wrong 09:55 < ng12345> http://pastebin.com/m47bfa3d2 09:55 < ng12345> that is the e-mail i sent to the listsrv -- contains both configs and firewall scripts 09:56 < ng12345> i also tried using "client-config-dir /jffs/ccd/" (with the extra slash) and it made no difference 09:59 < SilenceGold> okay 09:59 < SilenceGold> what's in /jffs/ccd/ directory? 10:00 < ng12345> two files 10:00 < ng12345> default and client 10:00 < SilenceGold> oh 10:01 < SilenceGold> you have to have a directory that matches the common name of your SSL certificate that you give to a client 10:01 < SilenceGold> erm wait 10:01 < ng12345> the common name is client 10:01 < SilenceGold> I think it's a file 10:01 < SilenceGold> let me check 10:01 < SilenceGold> oh yea 10:01 < SilenceGold> a file 10:01 < ng12345> yah the openvpn howto said a file name 10:02 < SilenceGold> your SSL certificate also have client as the common name too? 10:02 < ng12345> yah 10:02 < ng12345> i tried a couple different common names and same result 10:02 < ng12345> and also default is supposed to be a catchall if the name doesn't match 10:02 < ng12345> if i change the client-config-dir to an invalid directory, then authentication fails -- so i guess it is checking for something? 10:03 < SilenceGold> k 10:03 < SilenceGold> I see in client: 10:04 < SilenceGold> that you have no ifconfig-push line? 10:04 < ng12345> not in the one i pasted 10:04 < ng12345> i tried that as well 10:04 < ng12345> and it doesn't work 10:05 < ng12345> i did ifconfig-push 10.9.0.9 10.9.0.10 and the client got an ip of 10.9.0.14 10:05 < ng12345> i didn't think that line was necessary -- besides i have ifconfig-pool-persist in my server config (which also is not working) 10:06 < SilenceGold> http://workaround.org/moin/OpenVpnFaq#client-config-dir 10:06 < vpnHelper> Title: OpenVpnFaq - workaround.org - literacy for admins and users (at workaround.org) 10:07 < SilenceGold> well, you can get it working without the client-config-dir? 10:08 < ng12345> i dont understand your question? 10:09 < ng12345> the client connects, but it is not running the commands within the client config dir 10:09 < ng12345> i can ping computers behind the server, but i can not ping computers behind the client 10:10 < SilenceGold> what I meant is 10:10 < SilenceGold> do it without the client-config-dir just to be sure that it is working correctly 10:10 < SilenceGold> then try to get client-config-dir working 10:10 < SilenceGold> so you can rule out other problems such as routing problems 10:11 < ng12345> ok, without client-config-dir i can't get it working; like I said computers behind 192.168.1.0 can ping computers behind 192.168.0.0 but computers behind 192.168.0.0 can not ping computers behind 192.168.1.0 10:11 < SilenceGold> then it's not the client-config-dir problem 10:12 < SilenceGold> 90% of problems with openvpn is the routings 10:12 < ng12345> but, i think that part of that is the server can accept multiple clients, so the only way it knows which ip to send each request is to use the iroute command which has to be in conjunction with the client-config-dir 10:12 < ng12345> at least thats what i have read in my searching 10:12 < SilenceGold> no that's not true 10:12 < ng12345> ok; i put my routing tables in the paste bin also 10:13 < SilenceGold> when your client connects 10:13 < SilenceGold> does it get an ip address? 10:13 < ng12345> yes 10:13 < ng12345> right now it has the ip address 10.9.0.14 10:13 < SilenceGold> okay 10:13 < SilenceGold> client's VPN ip is 10.9.0.14 10:13 < ng12345> the openvpn server has a local lan ip of 192.168.0.1 -- it can successfully ping 10.9.0.14 10:13 < ng12345> yes 10:14 < SilenceGold> your paste is kind of hard for me to read 10:15 < ng12345> sorry -- all the routes automatically highlighted light purple; this is without the highlighting: http://pastebin.com/m6893fe1d 10:15 < SilenceGold> hrm look at your line in server's side config 10:15 < SilenceGold> push "route 192.168.0.0 255.255.255.0" 10:15 < SilenceGold> I don't see a gateway listed? 10:16 < ng12345> it doesn't need one 10:16 < SilenceGold> it's not the colors 10:16 < SilenceGold> it's hard to identify sections 10:17 < ng12345> my apologies 10:19 < SilenceGold> I suggest you to start all over 10:20 < SilenceGold> and this time, get it working without the client-config-dir 10:20 < ng12345> http://pastebin.com/m10b66b5e -- i have highlighted the beginning of each section 10:20 < SilenceGold> just set it up as plain as possible 10:21 < ng12345> yes i've been building up from a basic install 10:21 < ng12345> i started with a static.key configuration and it worked fine 10:21 < SilenceGold> is this the first time? 10:21 < SilenceGold> or you have set up openvpn before? 10:21 < ng12345> first time 10:21 < SilenceGold> hrm 10:21 < SilenceGold> I compared my server side config 10:21 < SilenceGold> yours have "# 10:21 < SilenceGold> server 10.9.0.0 255.255.255.0 10:22 < SilenceGold> " 10:22 < SilenceGold> and mine is 10:22 < SilenceGold> local 216.xx.xx.99 10:22 < SilenceGold> I xx'ed it 10:22 < SilenceGold> did you look at ecrist's site on how to get it working? maybe it'll help 'cause it's plain 10:23 -!- ompaul [n=ompaul@gnewsense/friend/ompaul] has joined ##openvpn 10:24 < ng12345> https://www.secure-computing.net/wiki/index.php/OpenVPN_Server 10:24 < vpnHelper> Title: FreeBSD OpenVPN Server HowTo - Secure Computing Wiki (at www.secure-computing.net) 10:24 < SilenceGold> yea 10:25 < ng12345> though i didn't use his script; his script and mine are almost identical 10:25 < ng12345> except for the lines beginning with client-config-dir 10:25 < ng12345> (in my script) 10:27 < ng12345> i don't have a duplicate-cn line since that contradicts the client-config-dir line and also since i don't need it; persist-key and persist-tun refer to ping-restarts which is not where my problem is; and i am not using a crl 10:27 < ng12345> i dont have the ivans network line -- but i don't know what that is 10:30 < ng12345> also on his site https://www.secure-computing.net/wiki/index.php/OpenVPN/Routing it indicates that i need the client-config-dir path in order to get the server side pinging the client side 10:30 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 10:32 < SilenceGold> yea 10:32 < SilenceGold> my client-config-dir is empty 10:32 < SilenceGold> but it's a file 10:32 < ng12345> what do you mean 10:32 < ng12345> you have a file called "ccd"? 10:33 < ng12345> this is from that text "You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. " 10:33 < ng12345> i'm not a linux user so i dont know what that means -- i thought it meant create a file with the client common name within the ccd directory 10:34 < SilenceGold> %cat openvpn.conf | grep client-config-dir 10:34 < SilenceGold> client-config-dir /usr/local/etc/openvpn/clientconfig 10:34 < SilenceGold> %ls -alh | grep clientconfig 10:34 < SilenceGold> -rw-r--r-- 1 vpn wheel 0B Jul 1 13:40 clientconfig 10:34 < SilenceGold> % 10:34 < ng12345> ok but you said the file is empty 10:35 < SilenceGold> yep 10:35 < SilenceGold> that's why it is 0B 10:35 < ng12345> right 10:35 < SilenceGold> meaning zero byte/bit 10:35 < ng12345> so how would you indicate a specific machine within that file -- if i were to do it that way 10:35 < SilenceGold> that's not the point 10:35 < SilenceGold> the point is to get the whole routing working 10:36 < SilenceGold> before you go further beyond the scope of the basis of openvpn setup\ 10:36 < SilenceGold> you're ahead of yourself when you are wanting to use the client-config-dir 10:36 < ng12345> ok 10:36 < ng12345> well really i'm not using that command anyway since it isn't executing :-P 10:37 < SilenceGold> well, you're screwing with something that takes experienced linux user to do on a linksys router 10:38 < ng12345> ok i'm running my ovpn file without the client-config lines 10:39 < ng12345> now it is exactly like the pasted config on the wiki 10:40 < ng12345> i dont know if it is as much my inexperience with linux as it is my inexperience with routing tables 10:41 < SilenceGold> even experienced linux administrators get stumbled onto those routing problems related to the openvpn setups 10:41 < SilenceGold> if that happens, a rookie will run into a lot more trouble 10:43 < ng12345> alright backtracked to a non clientconfigdir config 10:43 < ng12345> 192.168.1.1 can ping 192.168.0.1 10:44 < ng12345> but 192.168.0.1 can not ping 192.168.1.1 10:44 < ng12345> so its the same issue 10:44 < ng12345> there is a route missing that is telling the server 192.168.1.0 should go through the client's vpn address 10:47 < SilenceGold> okay 10:47 -!- BoomSie [n=gideon@212-182-158-43.ip.telfort.nl] has quit ["Ex-Chat"] 10:47 < SilenceGold> then you can try doing it manually to see if you're right..if you're right..then you can put in the new route into the config 10:47 < SilenceGold> if you're wrong, delete the route then try a diff route 10:47 < ng12345> yup doing that now -- isn't working 10:49 < ng12345> this is the current configuration: server lan 192.168.0.0<--10.9.0.1/10.9.0.2 10.9.0.5/10.9.0.6 -->client lan 192.168.1.0 10:49 < ng12345> so the client side can successfully ping 192.168.1.1, 10.9.0.1, and 192.168.0.1 10:50 < ng12345> the server side can successfully ping 192.168.0.1, 10.9.0.6 but not 192.168.1.1 10:53 < SilenceGold> oh wait 10:53 < SilenceGold> I see now 10:53 < SilenceGold> you're doing the route 10:53 < SilenceGold> not the bridge 10:53 < SilenceGold> the server side can't reach beyond the clients 10:53 < SilenceGold> unless you use route 10:53 < SilenceGold> I meant the bridge 10:53 < SilenceGold> unless you use the bridge...that's tap..not tun 10:53 < SilenceGold> tun is route 10:53 < SilenceGold> hrm 10:54 < SilenceGold> or you can turn that client into a route? 10:54 < SilenceGold> *router 10:54 < ng12345> it is a router 10:54 < SilenceGold> I know it's a linksys router 10:54 < SilenceGold> but i meant..to make it route past 192.168.1.0 10:55 < SilenceGold> I think your client is doing one way route...not two way route 10:55 < ng12345> ok 10:55 < ng12345> how do i create the second route 10:55 < SilenceGold> hrm 10:55 < ng12345> i am forwarding all packets over the tunnel to the local ports 10:55 < SilenceGold> make sure your server knows that anything going to 192.168.1.0/24 should be routed to the client's VPN ip 10:56 < SilenceGold> pastebin your server's routing table 10:56 < ng12345> hehe -- ok that is what i've been trying 10:56 < ng12345> it is there already in that previous one 10:56 < SilenceGold> give me the current one 10:57 < ng12345> its the same but hold on 10:58 < ng12345> http://pastebin.com/m633f81f 11:06 < ng12345> is there a route you would suggest? 11:10 < SilenceGold> don't use 10.9.0.2 11:10 < SilenceGold> use the client's VPN ip address 11:10 < SilenceGold> I think 10.9.0.6 if I am correct 11:10 < ng12345> yah then it says network not reachable 11:11 < ng12345> so i can't add that route 11:11 < SilenceGold> 10.9.0.5? 11:11 < ng12345> same 11:11 < SilenceGold> hrm 11:11 < ng12345> though 10.9.0.6 is pingable 11:11 < SilenceGold> you said that the server can ping 10.9.0.6? 11:11 < ng12345> i can't traceroute it 11:11 < SilenceGold> what ip is the client using for 192.168.1.0/24? 11:12 < ng12345> 192.168.1.1 11:13 < SilenceGold> try that one? 11:14 < ng12345> well that isn't pingable nor traceable 11:14 < SilenceGold> my guess is that your linksys router is limited to do one way routing 11:15 < SilenceGold> not two way router like a real router does 11:15 < SilenceGold> I have two freebsd boxes that are set up just like your linksys routers.. 11:15 < SilenceGold> they both are routing two ways 11:15 < SilenceGold> 192.168.0.0/24 LAN network...and 192.168.5.0/24 LAN network all shared via the internet with two DSL connections 11:16 < ng12345> but they are the same linksys routers on both ends 11:16 < ng12345> and i can get two way communication on the client side 11:16 < ng12345> meaning it can receive and transmit packets 11:17 < ng12345> could i see your routing tables/configs? 11:17 < SilenceGold> sure 11:19 < SilenceGold> hrm 11:19 < SilenceGold> can't access inside it from here 11:19 < SilenceGold> I'll do a quick one that uses my public services 11:22 < SilenceGold> http://pastebin.com/d131ae2e6 11:24 < ng12345> k thanks 11:24 < ng12345> alright well thanks for your help 11:24 < ng12345> i guess i'll go fiddle around some more 11:26 < Dougy|Work> morning ya'll 11:27 < SilenceGold> morning 11:27 < SilenceGold> btw, you sleep at work? 11:27 < SilenceGold> :) 11:29 < Dougy|Work> No 11:30 < Dougy|Work> Why does everyone ask that 11:30 < Dougy|Work> o.O 11:31 < SilenceGold> 'cause "morning" usually mean that you just woke up 11:32 < Dougy|Work> I just walked in 11:32 < Dougy|Work> o.O 11:39 -!- MoL0ToV [n=g@89.106.92.16] has quit ["changing servers"] 11:40 -!- MoL0ToV [n=g@89.106.92.16] has joined ##openvpn 12:03 -!- djs [n=djs@unaffiliated/djs26] has left ##openvpn [] 13:18 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 13:24 < Dougy|Work> LMFAO 13:34 -!- quentusrex_lapto [n=quentusr@c-71-197-244-228.hsd1.or.comcast.net] has quit [Success] 14:27 * Dougy|Work pokes jeev 14:42 < ng12345> yay! i got the pinging to work using tap 14:42 < ng12345> but the client config dir still is messed up 14:47 < Dougy|Work> lol 14:48 < ng12345> dougy do you happen to know the syntax for client-config-dir? 14:49 < ng12345> i've tried everything that i have found on the net, and none of the ccd config files get accessed or run 14:49 < ng12345> and even if i add the ccd-exclusive command in -- it doesn't deny client access when they don't have a ccd file 14:52 < ng12345> this is the config file i made: http://pastebin.com/m4843ea53 15:03 -!- bandini [n=bandini@host29-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:05 < Dougy|Work> ng12345, did you look at 15:05 < Dougy|Work> !ccd 15:05 < vpnHelper> Dougy|Work: "ccd" is entries that are basically included into server.conf, but only for the specified client 15:05 < Dougy|Work> oh 15:05 < Dougy|Work> that's useless 15:05 < Dougy|Work> heh 15:05 < Dougy|Work> hold on 15:05 < ng12345> oh is that how you use vpnhelper 15:05 < ng12345> yah i looked everwhere 15:05 < ng12345> i tried client-config-dir ccd 15:05 < Dougy|Work> yes nj 15:05 < Dougy|Work> ng* 15:05 < Dougy|Work> !menu 15:05 < vpnHelper> Dougy|Work: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 15:05 < Dougy|Work> there are all the features s/he/it has 15:06 < ng12345> cool 15:06 < ng12345> i tried help 15:06 < ng12345> and nothing showed up 15:06 < Dougy|Work> ah 15:06 < Dougy|Work> !menu is what you need 15:06 < vpnHelper> Dougy|Work: Error: "menu" is not a valid command. 15:06 < ng12345> !menu 15:06 < vpnHelper> ng12345: "menu" is !betaman, !tls-cipher, !howto, !faq, !winroute, !iroute, !route, !mail, !tls-verify, !pastebin, !logs, !man, !ubuntu, !gentoo, !freebsd, !ccd, !mtu, !bridge, !tcp, !privledges, !insanity, !nat, !secure, !ask, !wiki, !sample, !configs, !winpass, !dev, !/30, !multi, !router, !notopenvpn, !path, !netman, !tls-auth, !push, !download, !samba, !forum 15:07 < ng12345> i